NEC Corporation UNIVERGE IX vulnerable to Command Injection
CVE-2024-11013

7.2HIGH

Key Information:

Vendor: Nec Corporation
Status: Univerge Ix; Univerge Ix-r/ix-v
Vendor: CVE Published:; 29 November 2024

Badges

📈 Trended📈 Score: 2,530📰 News Worthy

What is CVE-2024-11013?

CVE-2024-11013 is a command injection vulnerability found in the NEC Corporation UNIVERGE IX communication software, which is utilized for unified communication and collaboration in enterprise environments. This vulnerability affects various versions of the software, enabling attackers to inject arbitrary command-line interface (CLI) commands through the management interface. If exploited, this could lead to unauthorized execution of commands on the affected systems, posing significant risks to organizational security and infrastructure.

Technical Details

The vulnerability exists in NEC Corporation UNIVERGE IX from version 9.2 to version 10.10.21, as well as specific versions within the 10.8 and 10.9 release series, and in UNIVERGE IX-R/IX-V version 1.2.15 and earlier. The flaw allows attackers to send specially crafted requests through the management interface, resulting in the execution of injected commands that could compromise the integrity of the device and potentially gain unauthorized access to network resources.

Impact of the Vulnerability

Unauthorized Command Execution: This vulnerability permits attackers to execute arbitrary commands on the device, which could be leveraged to manipulate system settings or gain further access to sensitive information.
Compromise of Data Integrity: The ability to inject commands can allow malicious actors to alter or delete data, leading to integrity issues that can impact communication and business operations.
Increased Attack Surface: Organizations utilizing the affected versions of UNIVERGE IX may face greater risks as the vulnerability creates opportunities for lateral movement within the network, potentially facilitating further attacks or data exfiltration.

Affected Version(s)

UNIVERGE IX from Ver9.2 to Ver10.10.21

UNIVERGE IX for Ver10.8 up to Ver10.8.27

UNIVERGE IX for Ver10.9 up to Ver10.9.14

News Articles

tntsecurite.ca

CVE-2024-11014 CVE-2024-11013

KMSpico-10.2.0-install.zip – TNT Sécurité

CVE-2024-47094 29 novembre 2024Medium Severity Description Insertion of Sensitive Information into Log File in Checkmk GmbH's Checkmk versionsCVE-2024-50357 29 novembre 2024Critical Severity Description...

1 month ago

References

https://https://jpn.nec.com/security-info/secinfo/nv24-00...

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

📈
Vulnerability started trending
Dec 6, 2024
📰
First article discovered by tntsecurite.ca
Nov 30, 2024
Vulnerability published
Nov 29, 2024
Vulnerability Reserved
Nov 8, 2024

Credit

RyotaK of Flatt Security Inc.