Multiple vulnerabilities in 2N Access Commander
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 3 |
| CVE-ID | CVE-2024-47253 CVE-2024-47254 CVE-2024-47255 |
| CWE-ID | CWE-22 CWE-345 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Access Commander Client/Desktop applications / Software for system administration |
| Vendor | 2N TELEKOMUNIKACE a.s. |
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
1) Path traversal
EUVDB-ID: #VU100642
Risk: Low
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-47253
CWE-ID:
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Exploit availability: No
DescriptionThe vulnerability allows a remote user to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences. A remote administrator can send a specially crafted HTTP request and write arbitrary files on the system.
MitigationInstall update from vendor's website.
Vulnerable software versionsAccess Commander: - - 3.1.1.2
CPE2.3- cpe:2.3:a:2n_telekomunikace:access_commander:*:*:*:*:*:*:*:*
- cpe:2.3:a:2n_telekomunikace:access_commander:3.1.1.2:*:*:*:*:*:*:*
https://www.2n.com/en-GB/download/Access-Commander-Security-Advisory-2024-11
https://www.cisa.gov/news-events/ics-advisories/icsa-24-319-17
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Insufficient verification of data authenticity
EUVDB-ID: #VU100650
Risk: Low
CVSSv4.0: 2 [CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-47254
CWE-ID:
CWE-345 - Insufficient Verification of Data Authenticity
Exploit availability: No
DescriptionThe vulnerability allows a remote user to escalate privileges on the system.
The vulnerability exists due to insufficient verification of data authenticity. A remote administrator on the local network can gain elevated privileges on the target system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsAccess Commander: - - 3.1.1.2
CPE2.3- cpe:2.3:a:2n_telekomunikace:access_commander:*:*:*:*:*:*:*:*
- cpe:2.3:a:2n_telekomunikace:access_commander:3.1.1.2:*:*:*:*:*:*:*
https://www.2n.com/en-GB/download/Access-Commander-Security-Advisory-2024-11
https://www.cisa.gov/news-events/ics-advisories/icsa-24-319-17
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Insufficient verification of data authenticity
EUVDB-ID: #VU100653
Risk: Low
CVSSv4.0: 4 [CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-47255
CWE-ID:
CWE-345 - Insufficient Verification of Data Authenticity
Exploit availability: No
DescriptionThe vulnerability allows a local user to execute arbitrary code on the system.
The vulnerability exists due to insufficient verification of data authenticity. A local administrator can execute arbitrary code on the target system with elevated privileges.
MitigationInstall updates from vendor's website.
Vulnerable software versionsAccess Commander: - - 3.1.1.2
CPE2.3- cpe:2.3:a:2n_telekomunikace:access_commander:*:*:*:*:*:*:*:*
- cpe:2.3:a:2n_telekomunikace:access_commander:3.1.1.2:*:*:*:*:*:*:*
https://www.2n.com/en-GB/download/Access-Commander-Security-Advisory-2024-11
https://www.cisa.gov/news-events/ics-advisories/icsa-24-319-17
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
