Advisory

Date 2024-12-17
Risk Critical
Vulnerability Type Unauthenticated Remote-Code Execution
Affected Product AXESS by Axiros
Affected Versions 4.x, 5.0.0
Fixed Version 4.3.2, >= 5.0.3
Vendor Status Fixed
CVE ID CVE-2024-33898
Permalink NSIDE-SA-2024-002

Unauthenticated remote attackers can bypass authorization requirements and access protected API endpoints. Those endpoints allows for remote code execution.

Introduction

AXESS is a carrier grade device management server, which allows to manage TR-069 and other USP devices. It is designed for Tier 1 and Tier 2 support operators to assist end customers with their router installations.

Description

NSIDE decided to wait with delay the disclosure of detailed information until 19th of September 2024.
For further information for detection and patches, please refer to Axiros‘ security bulletin.

Risk

Unauthenticated remote attackers can fully compromise the AXESS server and interact with all registered routers at free will, e.g. reboot them or install new firmware.

Solution/Mitigation

For further information for detection and patches, please refer to Axiros‘ security bulletin.

Disclosure Timeline

2024-04-18: Vulnerability discovered and details reported to Axiros
2024-04-18: Axiros develops security patch
2024-04-19: Axiros starts distribution of a security patch
2024-04-21: Retest of the customer application
2024-06-17: Axiros agrees to CVE publication
2024-06-25: CVE published
2024-12-17: Advisory published by NSIDE

Contact/Credits

The vulnerability was discovered during an assessment by Moritz Feldmann of NSIDE ATTACK LOGIC GmbH.