Multiple vulnerabilities in Hughes Network Systems WL3000 Fusion Software
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2024-39278 CVE-2024-42495 |
| CWE-ID | CWE-522 CWE-311 |
| Exploitation vector | Local network |
| Public exploit | N/A |
| Vulnerable software |
WL3000 Fusion Software Other software / Other software solutions |
| Vendor |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Insufficiently protected credentials
EUVDB-ID: #VU96920
Risk: Low
CVSSv3.1: 3.7 [CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-39278
CWE-ID:
CWE-522 - Insufficiently Protected Credentials
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to compromise the target system.
The vulnerability exists due to the credentials to access device configuration information are stored unencrypted in flash memory. An attacker with physical access can gain access to network configuration information and terminal configuration data.
MitigationInstall updates from vendor's website.
Vulnerable software versionsWL3000 Fusion Software: before 2.7.0.10
CPE2.3http://www.cisa.gov/news-events/ics-advisories/icsa-24-249-01
Q & A
Can this vulnerability be exploited remotely?
No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Missing Encryption of Sensitive Data
EUVDB-ID: #VU96921
Risk: Low
CVSSv3.1: 5.7 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-42495
CWE-ID:
CWE-311 - Missing Encryption of Sensitive Data
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to credentials to access device configuration are transmitted using an unencrypted protocol. A remote attacker on the local network can gain unauthorized access to sensitive information on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsWL3000 Fusion Software: before 2.7.0.10
CPE2.3http://www.cisa.gov/news-events/ics-advisories/icsa-24-249-01
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
