CRITICAL🇵🇱 Wersja polska

CVE-2024-41889

CVSS 9.8v3.1pub. 2024-08-05upd. 2024-08-30

Multiple Pimax products accept WebSocket connections from unintended endpoints. If this vulnerability is exploited, arbitrary code may be executed by a remote unauthenticated attacker.

🤖 AI Analysis
How it works

Pimax PiTool and Pimax Play applications listen for WebSocket connections but do not properly verify which endpoints are authorized to establish such a connection (CWE-923 — improper restriction of communication channel). An attacker with network access can establish a WebSocket connection without any authentication and send malicious commands to the vulnerable application, leading to arbitrary code execution on the victim's host.

Impact

A remote, unauthenticated attacker can execute arbitrary code on a machine with installed Pimax software, potentially resulting in complete system takeover, data theft, or malicious software installation.

Mitigation & patch

Apply patches available from the manufacturer according to the references. Additionally, it is recommended to restrict network access to WebSocket ports used by Pimax applications using firewall or network rules, so that connections are possible only from trusted local hosts.

Who is affected

Pimax PiTool and Pimax Play — specific versions indicated in the manufacturer's references (https://pimax.com/pages/downloads-manuals and https://jvn.jp/en/jp/JVN50850706/)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Pimax Pitool

    APP
    Pimax
    wszystkie wersje
  • Pimax Play

    APP
    Pimax
    < 1.21.01
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Auth Bypass
CWE
References