A vulnerability allows attackers to download source code or an executable from a remote location and execute the code without sufficiently verifying the origin and integrity of the code. This vulnerability can allow attackers to modify the firmware before uploading it to the system, thus achieving the modification of the target’s integrity to achieve an insecure state.
An attacker can inject a malicious executable file or firmware image in place of a legitimate update downloaded from a remote location. The vulnerable system does not sufficiently verify the source or integrity of downloaded code (e.g., lack of digital signature verification or checksum verification). Through this, an attacker can inject modified firmware that will be installed on the target device, putting it into an unsafe state.
An attacker can permanently modify the device firmware, gaining full control over the system, including the ability to read and modify data and disrupt its operation. The consequence may be long-term device takeover that is difficult to detect without deep hardware analysis.
Apply patches available from the manufacturer according to references (advisory NCSC-2024-0273 available at https://advisories.ncsc.nl/advisory?id=NCSC-2024-0273). Additionally, it is recommended to implement digital signature verification or checksums for all downloaded firmware updates and restrict network access to update mechanisms.
Versions indicated in manufacturer references (details in NCSC-2024-0273 communication; specific products and versions were not provided in the vulnerability description)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H