#VU98815 Insufficiently protected credentials in AIPHONE products - CVE-2024-39290

Vulnerability identifier: #VU98815

Vulnerability risk: Low

CVSSv4.0: 4.9 [CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-39290

CWE-ID: CWE-522

Exploitation vector: Local network

Exploit availability: No

Vulnerable software:
IX-MV
Hardware solutions / Firmware
IX-MV7-HB
Hardware solutions / Firmware
IX-MV7-HBT
Hardware solutions / Firmware
IX-MV7-HW
Hardware solutions / Firmware
IX-MV7-HWT
Hardware solutions / Firmware
IX-MV7-HW-JP
Hardware solutions / Firmware
IX-MV7-B
Hardware solutions / Firmware
IX-MV7-BT
Hardware solutions / Firmware
IX-MV7-W
Hardware solutions / Firmware
IX-MV7-WT
Hardware solutions / Firmware
IX-DA
Hardware solutions / Firmware
IX-DAU
Hardware solutions / Firmware
IX-DB
Hardware solutions / Firmware
IX-DBT
Hardware solutions / Firmware
IX-EA
Hardware solutions / Firmware
IX-EAT
Hardware solutions / Firmware
IX-EAU
Hardware solutions / Firmware
IX-DV
Hardware solutions / Firmware
IX-DVT
Hardware solutions / Firmware
IX-DVF
Hardware solutions / Firmware
IX-DVF-P
Hardware solutions / Firmware
IX-DVF-L
Hardware solutions / Firmware
IX-DVM
Hardware solutions / Firmware
IX-DU
Hardware solutions / Firmware
IX-DVF-RA
Hardware solutions / Firmware
IX-DVF-2RA
Hardware solutions / Firmware
IX-BA
Hardware solutions / Firmware
IX-BAU
Hardware solutions / Firmware
IX-BB
Hardware solutions / Firmware
IX-BBT
Hardware solutions / Firmware
IX-FA
Hardware solutions / Firmware
IX-SSA
Hardware solutions / Firmware
IX-SS-2G
Hardware solutions / Firmware
IX-SS-2GT
Hardware solutions / Firmware
IX-SS-2G-N
Hardware solutions / Firmware
IX-BU
Hardware solutions / Firmware
IX-SSA-RA
Hardware solutions / Firmware
IX-SSA-2RA
Hardware solutions / Firmware
IX-RS-B
Hardware solutions / Firmware
IX-RS-BT
Hardware solutions / Firmware
IX-RS-W
Hardware solutions / Firmware
IX-RS-WT
Hardware solutions / Firmware
IXW-MA
Hardware solutions / Firmware
IX-SPMIC
Hardware solutions / Firmware
IXG-2C7
Hardware solutions / Firmware
IXG-2C7-L
Hardware solutions / Firmware
IXG-DM7
Hardware solutions / Firmware
IXG-DM7-HID
Hardware solutions / Firmware
IXG-DM7-HIDA
Hardware solutions / Firmware
IXG-DM7-10K
Hardware solutions / Firmware
IXG-MK
Hardware solutions / Firmware
IXGW-GW
Hardware solutions / Firmware
IXGW-TGW
Hardware solutions / Firmware
IXGW-LC
Hardware solutions / Firmware

Vendor: AIPHONE

Description

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to insufficiently protected credentials. A remote attacker on the local network can obtain sensitive information such as a username and its password in the address book.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

IX-MV: 7.10

IX-MV7-HB: 7.10

IX-MV7-HBT: 7.10

IX-MV7-HW: 7.10

IX-MV7-HWT: 7.10

IX-MV7-HW-JP: 7.10

IX-MV7-B: 7.10

IX-MV7-BT: 7.10

IX-MV7-W: 7.10

IX-MV7-WT: 7.10

IX-DA: 7.10

IX-DAU: 7.10

IX-DB: 7.10

IX-DBT: 7.10

IX-EA: 7.10

IX-EAT: 7.10

IX-EAU: 7.10

IX-DV: 7.11

IX-DVT: 7.11

IX-DVF: 7.11

IX-DVF-P: 7.11

IX-DVF-L: 7.11

IX-DVM: 7.10

IX-DU: 7.11

IX-DVF-RA: 7.11

IX-DVF-2RA: 7.11

IX-BA: 7.10

IX-BAU: 7.10

IX-BB: 7.10

IX-BBT: 7.10

IX-FA: 7.10

IX-SSA: 7.11

IX-SS-2G: 7.10

IX-SS-2GT: 7.10

IX-SS-2G-N: 7.10

IX-BU: 7.11

IX-SSA-RA: 7.11

IX-SSA-2RA: 7.11

IX-RS-B: 7.10

IX-RS-BT: 7.10

IX-RS-W: 7.10

IX-RS-WT: 7.10

IXW-MA: 7.10

IX-SPMIC: 7.10

IXG-2C7: 3.01

IXG-2C7-L: 3.01

IXG-DM7: 3.00

IXG-DM7-HID: 3.00

IXG-DM7-HIDA: 3.00

IXG-DM7-10K: 3.00

IXG-MK: 3.00

IXGW-GW: 3.01

IXGW-TGW: 3.01

IXGW-LC: 3.00

---

External links
https://jvn.jp/en/jp/JVN41397971/index.html

---

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.