Details of VAR-202406-0826

ID

VAR-202406-0826

CVE

CVE-2024-23922

TITLE

Sony Corporation's xav-ax5500 Insufficient validation of data authenticity in firmware vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2024-009438

DESCRIPTION

Sony XAV-AX5500 Insufficient Firmware Update Validation Remote Code Execution Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Sony XAV-AX5500 devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of software updates. The issue results from the lack of proper validation of software update packages. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-22939. (DoS) It may be in a state. SONY XAV-AX5500 is a 7-inch in-vehicle central control device with multiple functions and advanced technical features

Trust: 3.42

sources: NVD: CVE-2024-23922 // JVNDB: JVNDB-2024-009438 // ZDI: ZDI-24-878 // ZDI: ZDI-24-874 // CNVD: CNVD-2025-14983

IOT TAXONOMY

category:

['IoT']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2025-14983

AFFECTED PRODUCTS

vendor:	sony	model:	xav-ax5500	scope:	-	version:	-	Trust: 2.0
vendor:	sony	model:	xav-ax5500	scope:	eq	version:	1.13	Trust: 1.0
vendor:	ソニー株式会社	model:	xav-ax5500	scope:	eq	version:	xav-ax5500 firmware 1.13	Trust: 0.8
vendor:	ソニー株式会社	model:	xav-ax5500	scope:	-	version:	-	Trust: 0.8
vendor:	ソニー株式会社	model:	xav-ax5500	scope:	eq	version:	-	Trust: 0.8

sources: ZDI: ZDI-24-878 // ZDI: ZDI-24-874 // CNVD: CNVD-2025-14983 // JVNDB: JVNDB-2024-009438 // NVD: CVE-2024-23922

CVSS

SEVERITY

CVSSV2

CVSSV3

ZDI:	CVE-2024-23922
value:	MEDIUM
Trust: 1.4
nvd@nist.gov:	CVE-2024-23922
value:	MEDIUM
Trust: 1.0
cve@asrg.io:	CVE-2024-23922
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2024-23922
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2025-14983
value:	HIGH
Trust: 0.6

CNVD:	CNVD-2025-14983
severity:	HIGH
baseScore:	7.2
vectorString:	AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	3.9
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2024-23922
baseSeverity:	MEDIUM
baseScore:	6.8
vectorString:	CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	PHYSICAL
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	0.9
impactScore:	5.9
version:	3.1
Trust: 2.0
ZDI:	CVE-2024-23922
baseSeverity:	MEDIUM
baseScore:	6.8
vectorString:	AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	PHYSICAL
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	0.9
impactScore:	5.9
version:	3.0
Trust: 1.4
NVD:	CVE-2024-23922
baseSeverity:	MEDIUM
baseScore:	6.8
vectorString:	CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	PHYSICAL
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: ZDI: ZDI-24-878 // ZDI: ZDI-24-874 // CNVD: CNVD-2025-14983 // JVNDB: JVNDB-2024-009438 // NVD: CVE-2024-23922 // NVD: CVE-2024-23922

PROBLEMTYPE DATA

problemtype:	CWE-345	Trust: 1.0
problemtype:	Inadequate verification of data reliability (CWE-345) [ others ]	Trust: 0.8
problemtype:	Inadequate verification of data reliability (CWE-345) [NVD evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2024-009438 // NVD: CVE-2024-23922

PATCH

title:	Sony has issued an update to correct this vulnerability.	url:	https://www.sony.com/electronics/support/mobile-cd-players-digital-media-players-xav-series/xav-ax5500/software/00274156	Trust: 1.4
title:	Patch for SONY XAV-AX5500 Code Execution Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/703841	Trust: 0.6

sources: ZDI: ZDI-24-878 // ZDI: ZDI-24-874 // CNVD: CNVD-2025-14983

EXTERNAL IDS

db:	NVD	id:	CVE-2024-23922	Trust: 4.6
db:	ZDI	id:	ZDI-24-874	Trust: 2.5
db:	ZDI	id:	ZDI-24-878	Trust: 1.3
db:	JVNDB	id:	JVNDB-2024-009438	Trust: 0.8
db:	ZDI_CAN	id:	ZDI-CAN-23319	Trust: 0.7
db:	ZDI_CAN	id:	ZDI-CAN-22939	Trust: 0.7
db:	CNVD	id:	CNVD-2025-14983	Trust: 0.6

sources: ZDI: ZDI-24-878 // ZDI: ZDI-24-874 // CNVD: CNVD-2025-14983 // JVNDB: JVNDB-2024-009438 // NVD: CVE-2024-23922

REFERENCES

url:	https://www.sony.com/electronics/support/mobile-cd-players-digital-media-players-xav-series/xav-ax5500/software/00274156	Trust: 3.2
url:	https://www.zerodayinitiative.com/advisories/zdi-24-874/	Trust: 1.8
url:	https://nvd.nist.gov/vuln/detail/cve-2024-23922	Trust: 0.8
url:	https://www.zerodayinitiative.com/advisories/zdi-24-878/	Trust: 0.6

sources: ZDI: ZDI-24-878 // ZDI: ZDI-24-874 // CNVD: CNVD-2025-14983 // JVNDB: JVNDB-2024-009438 // NVD: CVE-2024-23922

CREDITS

Aapo Oksman from Juurin Oy

Trust: 0.7

sources: ZDI: ZDI-24-878

SOURCES

db:	ZDI	id:	ZDI-24-878
db:	ZDI	id:	ZDI-24-874
db:	CNVD	id:	CNVD-2025-14983
db:	JVNDB	id:	JVNDB-2024-009438
db:	NVD	id:	CVE-2024-23922

LAST UPDATE DATE

2025-07-04T23:40:50.682000+00:00

SOURCES UPDATE DATE

db:	ZDI	id:	ZDI-24-878	date:	2024-08-15T00:00:00
db:	ZDI	id:	ZDI-24-874	date:	2024-08-15T00:00:00
db:	CNVD	id:	CNVD-2025-14983	date:	2025-07-03T00:00:00
db:	JVNDB	id:	JVNDB-2024-009438	date:	2024-10-01T01:01:00
db:	NVD	id:	CVE-2024-23922	date:	2024-09-30T15:37:28.453

SOURCES RELEASE DATE

db:	ZDI	id:	ZDI-24-878	date:	2024-06-21T00:00:00
db:	ZDI	id:	ZDI-24-874	date:	2024-06-21T00:00:00
db:	CNVD	id:	CNVD-2025-14983	date:	2025-07-01T00:00:00
db:	JVNDB	id:	JVNDB-2024-009438	date:	2024-10-01T00:00:00
db:	NVD	id:	CVE-2024-23922	date:	2024-09-23T15:15:13.010