1. EXECUTIVE SUMMARY
- CVSS v4 10.0
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: PTC
- Equipment: Creo Elements/Direct License Server
- Vulnerability: Missing Authorization
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow unauthenticated remote attackers to execute arbitrary OS commands.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
PTC reports that the following versions of Creo Elements/Direct License Server are affected; note that this vulnerability does not impact “Creo License server”:
- Creo Elements/Direct License Server: Version 20.7.0.0 and prior
3.2 Vulnerability Overview
3.2.1 Missing Authorization CWE-122
Creo Elements Direct License Server exposes a web interface which can be used by unauthenticated remote attackers to execute arbitrary OS commands on the server.
CVE-2024-6071 has been assigned to this vulnerability. A CVSS v3.1 base score of 10.0 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2024-6071. A base score of 10.0 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).
3.3 BACKGROUND
- CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
- COUNTRIES/AREAS DEPLOYED: Worldwide
- COMPANY HEADQUARTERS LOCATION: Un
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.This article has been indexed from All CISA AdvisoriesRead the original article: