CVE-2024-2413 - Vulnerability Details - OpenCVE

Intumit SmartRobot uses a fixed encryption key for authentication. Remote attackers can use this key to encrypt a string composed of the user's name and timestamp to generate an authentication code. With this authentication code, they can obtain administrator privileges and subsequently execute arbitrary code on the remote server using built-in system functionality.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact total

Vendors	Products
Intumit	Smartrobot Smartrobot Firmware

Configuration 1 [-]

AND

cpe:2.3:o:intumit:smartrobot_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:intumit:smartrobot:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://www.twcert.org.tw/tw/cp-132-7697-ecf10-1.html

History

Mon, 17 Nov 2025 19:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Intumit smartrobot Firmware
CPEs		cpe:2.3:o:intumit:smartrobot_firmware::::::::
Vendors & Products		Intumit smartrobot Firmware

Tue, 15 Apr 2025 16:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Intumit Intumit smartrobot
CPEs		cpe:2.3:h:intumit:smartrobot:-:::::::*
Vendors & Products		Intumit Intumit smartrobot
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: twcert

Published: 2024-03-13T02:51:10.886Z

Updated: 2025-04-15T15:24:41.891Z

Reserved: 2024-03-13T02:35:52.278Z

Link: CVE-2024-2413

Vulnrichment

Updated: 2024-08-01T19:11:53.532Z

NVD

Status : Analyzed

Published: 2024-03-13T03:15:06.793

Modified: 2025-11-17T18:54:32.567

Link: CVE-2024-2413

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-2413", "assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", "state": "PUBLISHED", "assignerShortName": "twcert", "dateReserved": "2024-03-13T02:35:52.278Z", "datePublished": "2024-03-13T02:51:10.886Z", "dateUpdated": "2025-04-15T15:24:41.891Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "SmartRobot", "vendor": "Intumit", "versions": [{"lessThanOrEqual": "v6.1.2-202212tw", "status": "affected", "version": "earlier version", "versionType": "custom"}]}], "datePublic": "2024-03-15T02:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Intumit SmartRobot uses a fixed encryption key for authentication. Remote attackers can use this key to encrypt a string composed of the user's name and timestamp to generate an authentication code. With this authentication code, they can obtain administrator privileges and subsequently execute arbitrary code on the remote server using built-in system functionality."}], "value": "Intumit SmartRobot uses a fixed encryption key for authentication. Remote attackers can use this key to encrypt a string composed of the user's name and timestamp to generate an authentication code. With this authentication code, they can obtain administrator privileges and subsequently execute arbitrary code on the remote server using built-in system functionality."}], "impacts": [{"capecId": "CAPEC-114", "descriptions": [{"lang": "en", "value": "CAPEC-114 Authentication Abuse"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-321", "description": "CWE-321: Use of Hard-coded Cryptographic Key", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", "shortName": "twcert", "dateUpdated": "2024-03-13T02:51:10.886Z"}, "references": [{"tags": ["third-party-advisory"], "url": "https://www.twcert.org.tw/tw/cp-132-7697-ecf10-1.html"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Update to v6.2.0-202303tw or later version or change current encryption key."}], "value": "Update to v6.2.0-202303tw or later version or change current encryption key."}], "source": {"advisory": "TVN-202403002", "discovery": "EXTERNAL"}, "title": "Intumit SmartRobot - Use of Hard-coded Cryptographic Key", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"affected": [{"vendor": "intumit", "product": "smartrobot", "cpes": ["cpe:2.3:h:intumit:smartrobot:-:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "v6.1.2-202212tw", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-03-13T14:27:09.797092Z", "id": "CVE-2024-2413", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-15T15:24:41.891Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T19:11:53.532Z"}, "title": "CVE Program Container", "references": [{"tags": ["third-party-advisory", "x_transferred"], "url": "https://www.twcert.org.tw/tw/cp-132-7697-ecf10-1.html"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.twcert.org.tw/tw/cp-132-7697-ecf10-1.html", "tags": ["third-party-advisory", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T19:11:53.532Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-2413", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-03-13T14:27:09.797092Z"}}}], "affected": [{"cpes": ["cpe:2.3:h:intumit:smartrobot:-:*:*:*:*:*:*:*"], "vendor": "intumit", "product": "smartrobot", "versions": [{"status": "affected", "version": "0", "lessThan": "v6.1.2-202212tw", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-19T18:03:38.548Z"}}], "cna": {"title": "Intumit SmartRobot - Use of Hard-coded Cryptographic Key", "source": {"advisory": "TVN-202403002", "discovery": "EXTERNAL"}, "impacts": [{"capecId": "CAPEC-114", "descriptions": [{"lang": "en", "value": "CAPEC-114 Authentication Abuse"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Intumit", "product": "SmartRobot", "versions": [{"status": "affected", "version": "earlier version", "versionType": "custom", "lessThanOrEqual": "v6.1.2-202212tw"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Update to v6.2.0-202303tw or later version or change current encryption key.", "supportingMedia": [{"type": "text/html", "value": "Update to v6.2.0-202303tw or later version or change current encryption key.", "base64": false}]}], "datePublic": "2024-03-15T02:00:00.000Z", "references": [{"url": "https://www.twcert.org.tw/tw/cp-132-7697-ecf10-1.html", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "Intumit SmartRobot uses a fixed encryption key for authentication. Remote attackers can use this key to encrypt a string composed of the user's name and timestamp to generate an authentication code. With this authentication code, they can obtain administrator privileges and subsequently execute arbitrary code on the remote server using built-in system functionality.", "supportingMedia": [{"type": "text/html", "value": "Intumit SmartRobot uses a fixed encryption key for authentication. Remote attackers can use this key to encrypt a string composed of the user's name and timestamp to generate an authentication code. With this authentication code, they can obtain administrator privileges and subsequently execute arbitrary code on the remote server using built-in system functionality.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-321", "description": "CWE-321: Use of Hard-coded Cryptographic Key"}]}], "providerMetadata": {"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", "shortName": "twcert", "dateUpdated": "2024-03-13T02:51:10.886Z"}}}, "cveMetadata": {"cveId": "CVE-2024-2413", "state": "PUBLISHED", "dateUpdated": "2025-04-15T15:24:41.891Z", "dateReserved": "2024-03-13T02:35:52.278Z", "assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", "datePublished": "2024-03-13T02:51:10.886Z", "assignerShortName": "twcert"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:intumit:smartrobot_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "451AF745-5F00-43E6-9F08-5A92DD41AA67", "versionEndExcluding": "6.2.0-202303TW", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:intumit:smartrobot:-:*:*:*:*:*:*:*", "matchCriteriaId": "0260F953-BD5B-49C0-B7BA-AFBE246FA702", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Intumit SmartRobot uses a fixed encryption key for authentication. Remote attackers can use this key to encrypt a string composed of the user's name and timestamp to generate an authentication code. With this authentication code, they can obtain administrator privileges and subsequently execute arbitrary code on the remote server using built-in system functionality."}, {"lang": "es", "value": "Intumit SmartRobot utiliza una clave de cifrado fija para la autenticaci\u00f3n. Los atacantes remotos pueden usar esta clave para cifrar una cadena compuesta por el nombre del usuario y la marca de tiempo para generar un c\u00f3digo de autenticaci\u00f3n. Con este c\u00f3digo de autenticaci\u00f3n, pueden obtener privilegios de administrador y posteriormente ejecutar c\u00f3digo arbitrario en el servidor remoto utilizando la funcionalidad integrada del sistema."}], "id": "CVE-2024-2413", "lastModified": "2025-11-17T18:54:32.567", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "[email protected]", "type": "Secondary"}]}, "published": "2024-03-13T03:15:06.793", "references": [{"source": "[email protected]", "tags": ["Third Party Advisory"], "url": "https://www.twcert.org.tw/tw/cp-132-7697-ecf10-1.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.twcert.org.tw/tw/cp-132-7697-ecf10-1.html"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-321"}], "source": "[email protected]", "type": "Secondary"}]}