57 matches found
CVE-2024-13870 Unauthenticated Firmware Downgrade in Bitdefender Box v1
An improper access control vulnerability exists in Bitdefender Box 1 firmware version 1.3.52.928 and below that allows an unauthenticated attacker to downgrade the device's firmware to an older, potentially vulnerable version of a Bitdefender-signed firmware. The attack requires Bitdefender BOX t...
CVE-2024-13870 Unauthenticated Firmware Downgrade in Bitdefender Box v1
An improper access control vulnerability exists in Bitdefender Box 1 firmware version 1.3.52.928 and below that allows an unauthenticated attacker to downgrade the device's firmware to an older, potentially vulnerable version of a Bitdefender-signed firmware. The attack requires Bitdefender BOX t...
CVE-2024-13870
Bitdefender Box 1 devices with firmware 1.3.52.928 or earlier are affected by an improper access control vulnerability that permits an unauthenticated attacker in Wi‑Fi range to downgrade firmware to an older, potentially vulnerable Bitdefender‑signed version when the device is in Recovery Mode. ...
CVE-2024-13871 Unauthenticated Command Injection in Bitdefender BOX v1
A command injection vulnerability exists in the /checkimageandtriggerrecovery API endpoint of Bitdefender Box 1 firmware version 1.3.11.490. This flaw allows an unauthenticated, network-adjacent attacker to execute arbitrary commands on the device, potentially leading to full remote code executio...
CVE-2024-13871 Unauthenticated Command Injection in Bitdefender BOX v1
A command injection vulnerability exists in the /checkimageandtriggerrecovery API endpoint of Bitdefender Box 1 firmware version 1.3.11.490. This flaw allows an unauthenticated, network-adjacent attacker to execute arbitrary commands on the device, potentially leading to full remote code executio...
CVE-2024-13871
CVE-2024-13871 affects Bitdefender Box 1 with firmware 1.3.11.490. The vulnerability is a command injection in the "/check_image_and_trigger_recovery" API endpoint that allows an unauthenticated, network-adjacent attacker to execute arbitrary commands, potentially enabling full remote code execut...
CVE-2024-13872 Bitdefender Box Insecure Update Mechanism Vulnerability in libboxhermes.so
Bitdefender Box, versions 1.3.11.490 through 1.3.11.505, uses the insecure HTTP protocol to download assets over the Internet to update and restart daemons and detection rules on the devices. Updates can be remotely triggered through the /settemptoken API method. Then, an unauthenticated and...
CVE-2024-13872 Bitdefender Box Insecure Update Mechanism Vulnerability in libboxhermes.so
Bitdefender Box, versions 1.3.11.490 through 1.3.11.505, uses the insecure HTTP protocol to download assets over the Internet to update and restart daemons and detection rules on the devices. Updates can be remotely triggered through the /settemptoken API method. Then, an unauthenticated and...
CVE-2024-13872
Bitdefender Box is affected in versions 1.3.11.490–1.3.11.505. The issue arises from downloading assets over HTTP for updates via the /set_temp_token API, enabling an unauthenticated, network-adjacent attacker to perform MITM and return malicious assets. Restarted daemons using those assets can l...
PT-2025-11032 · Bitdefender · Bitdefender Box
Name of the Vulnerable Software and Affected Versions: Bitdefender Box 1 version 1.3.11.490 Description: A command injection vulnerability exists in the "/check image and trigger recovery" API endpoint, allowing an unauthenticated, network-adjacent attacker to execute arbitrary commands on the...
Bitdefender Box 命令注入漏洞
Bitdefender BOX is a smart home security control device from Bitdefender, Romania. A command injection vulnerability exists in Bitdefender Box version 1.3.11.490, which stems from the presence of a command injection in the checkimageandtriggerrecovery API endpoint, which could lead to remote code...
Bitdefender Box 安全漏洞
Bitdefender BOX is a smart home security control device from Bitdefender, Romania. A security vulnerability exists in Bitdefender Box version 1.3.52.928 and earlier, which stems from improper access control and could allow an unauthenticated attacker to downgrade the device firmware...
Bitdefender BOX 安全漏洞
Bitdefender BOX is a smart home security control device from Bitdefender, Romania. A security vulnerability exists in Bitdefender BOX versions 1.3.11.490 through 1.3.11.505, which stems from the use of an insecure HTTP protocol to download assets, which could lead to man-in-the-middle attacks and...
PT-2025-11031 · Bitdefender · Bitdefender Box
Name of the Vulnerable Software and Affected Versions: Bitdefender Box 1 versions 1.3.52.928 and below Description: An improper access control issue exists that allows an unauthenticated attacker to downgrade the device's firmware to an older, potentially vulnerable version of a Bitdefender-signe...
PT-2025-11033 · Bitdefender · Bitdefender Box
Name of the Vulnerable Software and Affected Versions: Bitdefender Box versions 1.3.11.490 through 1.3.11.505 Description: The issue concerns the use of the insecure HTTP protocol to download assets over the Internet for updating and restarting daemons and detection rules on devices. Updates can ...
The vulnerability of the Bitdefender BOX 2 device, related to errors in processing URL addresses via the API /api/download_image, allows a perpetrator to execute arbitrary commands on the target system.
The vulnerability of the Bitdefender BOX 2 device for protecting devices and gadgets is related to errors in processing URL addresses using the API /api/downloadimage. Exploiting this vulnerability allows a hacker to execute arbitrary commands on the target system by sending the malicious file...
Bitdefender BOX 2 Operating System Command Injection Vulnerability
Bitdefender BOX is a smart home security control device from the Romanian company Bitdefender. An operating system command injection vulnerability exists in Bitdefender BOX 2. The vulnerability arises from the failure of a network system or product to properly filter special characters, commands,...
CVE-2019-17096
CVE-2019-17096 is a Bitdefender BOX 2 bootstrap command-injection vulnerability. In the bootstrap flow, the device fetches firmware/image data via /api/download_image, which uses get_image_url() to obtain a URL from the Nimbus server and then executes a curl command to download the image. The cod...
CVE-2019-17095
A command injection vulnerability has been discovered in the bootstrap stage of Bitdefender BOX 2, versions 2.1.47.42 and 2.1.53.45. The API method /api/downloadimage unsafely handles the production firmware URL supplied by remote servers, leading to arbitrary execution of system commands. In ord...
CVE-2019-17095
A command injection vulnerability has been discovered in the bootstrap stage of Bitdefender BOX 2, versions 2.1.47.42 and 2.1.53.45. The API method /api/downloadimage unsafely handles the production firmware URL supplied by remote servers, leading to arbitrary execution of system commands. In ord...