Deserialization Vulnerability Affects Delta Electronics' InfraSuite Device Master
CVE-2024-10456

9.8CRITICAL

Key Information:

Vendor: Delta Electronics
Status: Infrasuite Device Master
Vendor: CVE Published:; 30 October 2024

Summary

Delta Electronics InfraSuite Device Master versions prior to 1.0.12 are susceptible to a deserialization vulnerability that affects the Device-Gateway component. This vulnerability allows the deserialization of arbitrary .NET objects even before authentication is completed. Exploiting this flaw can lead to potential unauthorized actions or information leakage, thereby posing significant risks to the operational integrity and security of the affected systems.

Affected Version(s)

InfraSuite Device Master 0 <= 1.0.12

References

https://www.cisa.gov/news-events/ics-advisories/icsa-24-3...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Oct 30, 2024
Vulnerability Reserved
Oct 28, 2024

Credit

Simon Humbert of Trend Micro reported this vulnerability to CISA.