Low-Privileged User Can Execute Arbitrary Code Remotely on Device with High Privileges
CVE-2024-2162

8.8HIGH

Key Information:

Vendor

Kiloview

Status
Ndi
Vendor
CVE Published:
21 March 2024

What is CVE-2024-2162?

An OS Command Injection vulnerability exists in Kiloview's NDI products that allows low-privileged users to remotely execute arbitrary code with elevated privileges on affected devices. This flaw can be exploited to compromise system integrity and confidentiality, making it crucial for users to apply the recent firmware update, version 2.02.0227, to mitigate the risks associated with this vulnerability. Devices impacted include the Kiloview NDI N3, N3-s, N4, N20, N30, and N40, emphasizing the need for immediate attention from those utilizing these products.

Affected Version(s)

NDI N3 Firmware 2.02.0227

NDI N3 Firmware 2.02.0227

NDI N3-s Firmware 2.02.0227

References

https://www.kiloview.com/en/support/download/n3-for-ndi/
release-notes
https://www.kiloview.com/en/support/download/n3-s-firmwar...
release-notes
https://www.kiloview.com/en/support/download/1779/
release-notes

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Milan Duric, EBU
.