cbcvebase.

Bitdefender Box V1 vulnerabilities

3 known vulnerabilities affecting bitdefender/box_v1.

Total CVEs
3
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
HIGH2MEDIUM1

Vulnerabilities

Page 1 of 1
CVE-2024-13871P2HIGHCVSS 8.8≥ 1.3.11.490, < 1.3.11.5052025-03-12
CVE-2024-13871 [HIGH] CWE-77 CVE-2024-13871: A command injection vulnerability exists in the /check_image_and_trigger_recovery API endpoint of Bi A command injection vulnerability exists in the /check_image_and_trigger_recovery API endpoint of Bitdefender Box 1 (firmware version 1.3.11.490). This flaw allows an unauthenticated, network-adjacent attacker to execute arbitrary commands on the device, potentially leading to full remote code execution (RCE).
nvd
CVE-2024-13872P3HIGHCVSS 7.5≥ 1.3.11.490, < 1.3.11.5052025-03-12
CVE-2024-13872 [HIGH] CWE-319 CVE-2024-13872: Bitdefender Box, versions 1.3.11.490 through 1.3.11.505, uses the insecure HTTP protocol to download Bitdefender Box, versions 1.3.11.490 through 1.3.11.505, uses the insecure HTTP protocol to download assets over the Internet to update and restart daemons and detection rules on the devices. Updates can be remotely triggered through the /set_temp_token API method. Then, an unauthenticated and network-adjacent attacker can use man-in-the-middle (MITM)
nvd
CVE-2024-13870P4MEDIUMCVSS 5.7≤ 1.3.52.9282025-03-12
CVE-2024-13870 [MEDIUM] CWE-1328 CVE-2024-13870: An improper access control vulnerability exists in Bitdefender Box 1 (firmware version 1.3.52.928 an An improper access control vulnerability exists in Bitdefender Box 1 (firmware version 1.3.52.928 and below) that allows an unauthenticated attacker to downgrade the device's firmware to an older, potentially vulnerable version of a Bitdefender-signed firmware. The attack requires Bitdefender BOX to be booted in Recovery Mode and that the attacker
nvd