Details of VAR-202503-1168

ID

VAR-202503-1168

CVE

CVE-2024-13872

TITLE

BitDefender of Bitdefender BOX Vulnerability in cleartext transmission of sensitive information in firmware

Trust: 0.8

sources: JVNDB: JVNDB-2025-010289

DESCRIPTION

Bitdefender Box, versions 1.3.11.490 through 1.3.11.505, uses the insecure HTTP protocol to download assets over the Internet to update and restart daemons and detection rules on the devices. Updates can be remotely triggered through the /set_temp_token API method. Then, an unauthenticated and network-adjacent attacker can use man-in-the-middle (MITM) techniques to return malicious responses. Restarted daemons that use malicious assets can then be exploited for remote code execution on the device. BitDefender of Bitdefender BOX A vulnerability exists in the firmware regarding the transmission of sensitive information in plaintext.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state

Trust: 1.62

sources: NVD: CVE-2024-13872 // JVNDB: JVNDB-2025-010289

AFFECTED PRODUCTS

vendor:	bitdefender	model:	box	scope:	lte	version:	1.3.11.505	Trust: 1.0
vendor:	bitdefender	model:	box	scope:	gte	version:	1.3.11.490	Trust: 1.0
vendor:	bitdefender	model:	box	scope:	eq	version:	bitdefender box firmware 1.3.11.490 to 1.3.11.505	Trust: 0.8
vendor:	bitdefender	model:	box	scope:	-	version:	-	Trust: 0.8
vendor:	bitdefender	model:	box	scope:	eq	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2025-010289 // NVD: CVE-2024-13872

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2024-13872
value:	HIGH
Trust: 1.0
cve-requests@bitdefender.com:	CVE-2024-13872
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2024-13872
value:	HIGH
Trust: 0.8

nvd@nist.gov:	CVE-2024-13872
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	ADJACENT
attackComplexity:	HIGH
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.6
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2024-13872
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	ADJACENT NETWORK
attackComplexity:	HIGH
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2025-010289 // NVD: CVE-2024-13872 // NVD: CVE-2024-13872

PROBLEMTYPE DATA

problemtype:	CWE-319	Trust: 1.0
problemtype:	Sending important information in clear text (CWE-319) [ others ]	Trust: 0.8

sources: JVNDB: JVNDB-2025-010289 // NVD: CVE-2024-13872

EXTERNAL IDS

db:	NVD	id:	CVE-2024-13872	Trust: 2.6
db:	JVNDB	id:	JVNDB-2025-010289	Trust: 0.8

sources: JVNDB: JVNDB-2025-010289 // NVD: CVE-2024-13872

REFERENCES

url:	https://bitdefender.com/support/security-advisories/insecure-update-mechanism-vulnerability-in-libboxhermes-so-in-bitdefender-box-v1	Trust: 1.8
url:	https://nvd.nist.gov/vuln/detail/cve-2024-13872	Trust: 0.8

sources: JVNDB: JVNDB-2025-010289 // NVD: CVE-2024-13872

SOURCES

db:	JVNDB	id:	JVNDB-2025-010289
db:	NVD	id:	CVE-2024-13872

LAST UPDATE DATE

2025-08-02T23:18:48.679000+00:00

SOURCES UPDATE DATE

db:	JVNDB	id:	JVNDB-2025-010289	date:	2025-07-31T02:35:00
db:	NVD	id:	CVE-2024-13872	date:	2025-07-30T00:39:58.580

SOURCES RELEASE DATE

db:	JVNDB	id:	JVNDB-2025-010289	date:	2025-07-31T00:00:00
db:	NVD	id:	CVE-2024-13872	date:	2025-03-12T12:15:14.273