CVE-2024-2097 — Vulnetix

CVE-2024-2097 PUBLISHED CVSS 7.5 HIGH

Authenticated List control client can execute the LINQ query in SCM Server to present event as list for operator. An authenticated malicious client can send special LINQ query to execute arbitrary code remotely (RCE) on the SCM Server that an attacker otherwise does not have authorization to do.

EPSS 0.28% · 51.8th percentile

Risk Scores

CVSS v3.1

7.5

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score

0.28%

51.8th percentile

Affected Products

Vendor	Product	Versions
hitachienergy	modular_advanced_control_for_hvdc	4.0, 4.0
Hitachi Energy	MACH SCM Tools	1.0, 1.0
Hitachi Energy	MACH SCM Server	4.0, 4.0

Timeline

Mar 27, 2024 EPSS Score
Mar 27, 2024 CVE Published
Apr 21, 2024 EPSS Score
May 17, 2024 EPSS Score
Jun 11, 2024 EPSS Score
Aug 1, 2024 EPSS Score
Aug 31, 2024 EPSS Score
Sep 25, 2024 EPSS Score
Oct 4, 2024 Coalition ESS Score
Oct 21, 2024 EPSS Score
Nov 15, 2024 EPSS Score
Dec 12, 2024 EPSS Score

References

https://publisher.hitachienergy.com/preview?DocumentId=8DBD000189&languageCode=en&Preview=true vendor-advisory
https://nvd.nist.gov/vuln/detail/CVE-2024-2097 advisory

Open in Interactive Console →