CVE-2024-5539 - Vulnerability Details - OpenCVE

The Access Control Bypass vulnerability found in ALC WebCTRL and Carrier i-Vu in versions up to and including 8.5 allows a malicious actor to bypass intended access restrictions and expose sensitive information via the web based building automation server.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact High

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Carrier	Automatedlogic Webctrl I-vu

No data.

No data.

References

Link	Providers
https://www.corporate.carrier.com/product-security/advisories-resources/

History

Thu, 27 Nov 2025 16:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Carrier Carrier automatedlogic Webctrl Carrier i-vu
Vendors & Products		Carrier Carrier automatedlogic Webctrl Carrier i-vu

Thu, 27 Nov 2025 01:15:00 +0000

Type	Values Removed	Values Added
Description		The Access Control Bypass vulnerability found in ALC WebCTRL and Carrier i-Vu in versions up to and including 8.5 allows a malicious actor to bypass intended access restrictions and expose sensitive information via the web based building automation server.
Title		ALC WebCTRL Carrier i-Vu Access Control Bypass
Weaknesses		CWE-863
References		https://www.corporate.carrier.com/product-security/advisories-resources/
Metrics		cvssV4_0 `{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N'}`

MITRE

Status: PUBLISHED

Assigner: Carrier

Published: 2025-11-27T01:02:30.525Z

Updated: 2025-11-27T01:02:30.525Z

Reserved: 2024-05-30T17:38:43.955Z

Link: CVE-2024-5539

Vulnrichment

No data.

NVD

Status : Received

Published: 2025-11-27T01:15:46.120

Modified: 2025-11-27T01:15:46.120

Link: CVE-2024-5539

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2024-5539", "assignerOrgId": "e24e6442-3ae1-4538-a7b8-7ac95586db8f", "state": "PUBLISHED", "assignerShortName": "Carrier", "dateReserved": "2024-05-30T17:38:43.955Z", "datePublished": "2025-11-27T01:02:30.525Z", "dateUpdated": "2025-11-27T01:02:30.525Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "platforms": ["Windows"], "product": "WebCTRL", "vendor": "Automated Logic", "versions": [{"lessThanOrEqual": "8.5", "status": "affected", "version": "0", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "platforms": ["Windows"], "product": "i-Vu", "vendor": "Carrier", "versions": [{"lessThanOrEqual": "8.5", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "reporter", "value": "Steve Knabe from Praetorian"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "The Access Control Bypass vulnerability found in ALC WebCTRL and Carrier i-Vu in versions up to and including 8.5 allows a malicious actor to bypass intended access restrictions and expose sensitive information via the \n\n<i>web based building automation server.</i><br>"}], "value": "The Access Control Bypass vulnerability found in ALC WebCTRL and Carrier i-Vu in versions up to and including 8.5 allows a malicious actor to bypass intended access restrictions and expose sensitive information via the \n\nweb based building automation server."}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 9.2, "baseSeverity": "CRITICAL", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "e24e6442-3ae1-4538-a7b8-7ac95586db8f", "shortName": "Carrier", "dateUpdated": "2025-11-27T01:02:30.525Z"}, "references": [{"url": "https://www.corporate.carrier.com/product-security/advisories-resources/"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Upgrade to the latest version of ALC WebCTRL or Carrier i-Vu.  \n\n<br>"}], "value": "Upgrade to the latest version of ALC WebCTRL or Carrier i-Vu."}], "source": {"discovery": "EXTERNAL"}, "title": "ALC WebCTRL Carrier i-Vu Access Control Bypass", "x_generator": {"engine": "Vulnogram 0.2.0"}}}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Access Control Bypass vulnerability found in ALC WebCTRL and Carrier i-Vu in versions up to and including 8.5 allows a malicious actor to bypass intended access restrictions and expose sensitive information via the \n\nweb based building automation server."}], "id": "CVE-2024-5539", "lastModified": "2025-11-27T01:15:46.120", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.2, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "[email protected]", "type": "Secondary"}]}, "published": "2025-11-27T01:15:46.120", "references": [{"source": "[email protected]", "url": "https://www.corporate.carrier.com/product-security/advisories-resources/"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "[email protected]", "type": "Secondary"}]}