CVE-2024-58337 (GCVE-0-2024-58337)

Vulnerability from cvelistv5 – Published: 2025-12-30 22:41 – Updated: 2025-12-30 22:41
VLAI?
Title
Akuvox Smart Intercom S539 Improper Access Control via ServicesHTTPAPI
Summary
Akuvox Smart Intercom S539 contains an improper access control vulnerability that allows users with 'User' privileges to modify API access settings and configurations. Attackers can exploit this vulnerability to escalate privileges and gain unauthorized access to administrative functionalities.
Severity ?
8.7 (High)
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE
Assigner
References
Impacted products
Vendor Product Version
The Akuvox Company Akuvox Smart Doorphone Affected: S539
Affected: S532
Affected: X916
Affected: X915
Affected: X912
Create a notification for this product.
    The Akuvox Company Akuvox Smart Intercom Affected: R20K-2
Affected: R20A-2
Affected: C313W-2
Affected: NS-2
Affected: NC-2
Affected: NX-2
Create a notification for this product.
Credits
LiquidWorm as Gjoko Krstic of Zero Science Lab
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "product": "Akuvox Smart Doorphone",
          "vendor": "The Akuvox Company",
          "versions": [
            {
              "status": "affected",
              "version": "S539"
            },
            {
              "status": "affected",
              "version": "S532"
            },
            {
              "status": "affected",
              "version": "X916"
            },
            {
              "status": "affected",
              "version": "X915"
            },
            {
              "status": "affected",
              "version": "X912"
            }
          ]
        },
        {
          "product": "Akuvox Smart Intercom",
          "vendor": "The Akuvox Company",
          "versions": [
            {
              "status": "affected",
              "version": "R20K-2"
            },
            {
              "status": "affected",
              "version": "R20A-2"
            },
            {
              "status": "affected",
              "version": "C313W-2"
            },
            {
              "status": "affected",
              "version": "NS-2"
            },
            {
              "status": "affected",
              "version": "NC-2"
            },
            {
              "status": "affected",
              "version": "NX-2"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "LiquidWorm as Gjoko Krstic of Zero Science Lab"
        }
      ],
      "datePublic": "2024-11-26T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "Akuvox Smart Intercom S539 contains an improper access control vulnerability that allows users with \u0027User\u0027 privileges to modify API access settings and configurations. Attackers can exploit this vulnerability to escalate privileges and gain unauthorized access to administrative functionalities."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "LOW",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS"
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-30T22:41:44.989Z",
        "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "shortName": "VulnCheck"
      },
      "references": [
        {
          "name": "Zero Science Lab Disclosure (ZSL-2024-5862)",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5862.php"
        },
        {
          "name": "Packet Storm Security Exploit Entry",
          "tags": [
            "exploit"
          ],
          "url": "https://packetstormsecurity.com/files/182870/"
        },
        {
          "name": "CXSecurity Vulnerability Listing",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://cxsecurity.com/issue/WLB-2024110042"
        },
        {
          "name": "VulnCheck Advisory: Akuvox Smart Intercom S539 Improper Access Control via ServicesHTTPAPI",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://www.vulncheck.com/advisories/akuvox-smart-intercom-s-improper-access-control-via-serviceshttpapi"
        }
      ],
      "title": "Akuvox Smart Intercom S539 Improper Access Control via ServicesHTTPAPI",
      "x_generator": {
        "engine": "vulncheck"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
    "assignerShortName": "VulnCheck",
    "cveId": "CVE-2024-58337",
    "datePublished": "2025-12-30T22:41:44.989Z",
    "dateReserved": "2025-12-26T17:10:59.894Z",
    "dateUpdated": "2025-12-30T22:41:44.989Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-58337\",\"sourceIdentifier\":\"disclosure@vulncheck.com\",\"published\":\"2025-12-30T23:15:49.060\",\"lastModified\":\"2025-12-31T20:42:43.210\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Akuvox Smart Intercom S539 contains an improper access control vulnerability that allows users with \u0027User\u0027 privileges to modify API access settings and configurations. Attackers can exploit this vulnerability to escalate privileges and gain unauthorized access to administrative functionalities.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"disclosure@vulncheck.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":8.7,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"disclosure@vulncheck.com\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"disclosure@vulncheck.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-862\"}]}],\"references\":[{\"url\":\"https://cxsecurity.com/issue/WLB-2024110042\",\"source\":\"disclosure@vulncheck.com\"},{\"url\":\"https://packetstormsecurity.com/files/182870/\",\"source\":\"disclosure@vulncheck.com\"},{\"url\":\"https://www.vulncheck.com/advisories/akuvox-smart-intercom-s-improper-access-control-via-serviceshttpapi\",\"source\":\"disclosure@vulncheck.com\"},{\"url\":\"https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5862.php\",\"source\":\"disclosure@vulncheck.com\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.