Insecure Update Mechanism in Bitdefender Box Affects Device Security
CVE-2024-13872

9.4CRITICAL

Key Information:

Vendor: Bitdefender
Status: Box V1
Vendor: CVE Published:; 12 March 2025

🔔 Create Bitdefender Vulnerability Alert

What is CVE-2024-13872?

The Bitdefender Box has a vulnerability that results from using the insecure HTTP protocol for downloading essential assets for updates and daemon restarts. This flaw allows remote attackers to exploit the API method /set_temp_token to execute man-in-the-middle (MITM) attacks. By intercepting these updates, attackers can inject malicious responses, which could lead to remote code execution through compromised daemons using affected updates. This vulnerability poses a significant risk to the security and integrity of the affected devices.

Affected Version(s)

BOX v1 1.3.11.490 < 1.3.11.505

References

https://bitdefender.com/support/security-advisories/insec...

CVSS V4

Score:

9.4

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 12, 2025
Vulnerability Reserved
Feb 13, 2025

Credit

Alan Cao