Bitdefender has disclosed two critical vulnerabilities affecting its BOX v1 device that could allow network-adjacent attackers to execute Man-in-the-Middle (MITM) attacks, potentially leading to remote code execution.
The vulnerabilities, assigned CVE-2024-13872 and CVE-2024-13871, both received a CVSS score of 9.4, indicating severe security risks for affected devices.
These security flaws impact a product that Bitdefender notes is no longer sold or supported, leaving users of legacy devices particularly vulnerable to exploitation.
Insecure Update Mechanism Vulnerability – CVE-2024-13872
The first vulnerability (CVE-2024-13872) resides in the libboxhermes.so component of Bitdefender BOX v1, affecting firmware versions 1.3.11.490 through 1.3.11.505.
This security flaw stems from an insecure update mechanism where the device uses unencrypted HTTP protocol to download assets over the Internet for updating and restarting daemons and detection rules.
The vulnerability becomes exploitable when updates are remotely triggered through the /set_temp_token API method.
At this point, an unauthenticated and network-adjacent attacker can implement MITM techniques to intercept the communication and inject malicious responses.
When daemons restart using these compromised assets, attackers can achieve remote code execution on the device.
The insecure update mechanism represents a fundamental security design flaw where sensitive operations occur without proper encryption or authentication safeguards.
Security researcher Alan Cao is credited with discovering this vulnerability, which Bitdefender disclosed on March 12th, 2025.
The detailed CVSS vector string (CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H) indicates that the vulnerability requires adjacent network access but no privileges or user interaction, while enabling complete compromise of confidentiality, integrity, and availability.
Risk Factors | Details |
Affected Products | Bitdefender BOX v1 (versions 1.3.11.490 through 1.3.11.505) |
Impact | Remote code execution through MITM attack on insecure update mechanism |
Exploit Prerequisites | Network-adjacent access required; No authentication needed; No user interaction required |
CVSS 4.0 Score | 9.4 – Critical |
Command Injection Vulnerability – CVE-2024-13871
The second critical vulnerability (CVE-2024-13871), involves an unauthenticated command injection flaw in the /check_image_and_trigger_recovery API endpoint of Bitdefender BOX v1.
This vulnerability specifically affects firmware version 1.3.11.490. The security flaw allows unauthenticated, network-adjacent attackers to execute arbitrary commands on the affected device.
The exploitation process requires no special privileges or user interaction, making it particularly dangerous within local networks.
Command injection vulnerabilities typically occur when user-supplied data is incorporated into system commands without proper validation or sanitization.
In this case, attackers can inject malicious commands that execute with the privileges of the BOX v1 system processes, potentially allowing complete control of the device.
Bitdefender Labs, the company’s internal security research team, discovered this vulnerability during routine security auditing procedures.
Risk Factors | Details |
Affected Products | Bitdefender BOX v1 (firmware version 1.3.11.490) |
Impact | Remote code execution through command injection |
Exploit Prerequisites | Network-adjacent access; No authentication needed; No user interaction required |
CVSS 4.0 Score | 9.4 – Critical |
Mitigations
Both vulnerabilities pose serious security risks, with identical CVSS scores of 9.4 reflecting their critical severity.
Attackers who successfully exploit these flaws could potentially access sensitive information passing through the network security device, modify network traffic, establish persistence on the network, or use the compromised device as a launching point for deeper network penetration.
The potential for remote code execution means attackers could deploy malware or backdoors on affected systems.
For the command injection vulnerability (CVE-2024-13871), Bitdefender has released an automatic update to version 1.3.11.510 that addresses the issue.
However, no patch appears to be available for the insecure update mechanism vulnerability (CVE-2024-13872), as Bitdefender notes that the product is no longer supported.
This situation underscores the security challenges presented by end-of-life products that remain in active use.
Users of Bitdefender BOX v1 are strongly advised to consider upgrading to newer, supported security products if possible.
If continued use is necessary, implementing additional network security controls to isolate these devices and monitoring for suspicious network activity becomes essential defensive measures.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.