CRITICAL🇵🇱 Wersja polska

CVE-2024-8888

CVSS 10.0v3.1pub. 2024-09-18upd. 2024-10-01

An attacker with access to the network where CIRCUTOR Q-SMT is located in its firmware version 1.0.4, could steal the tokens used on the web, since these have no expiration date to access the web application without restrictions. Token theft can originate from different methods such as network captures, locally stored web information, etc.

🤖 AI Analysis
How it works

Session tokens generated by the Circutor Q-SMT device web application lack an expiration mechanism (no expiration date), which violates secure session management practices (CWE-613). An attacker with access to the network where the device is located can intercept the token using various methods — for example, through network traffic eavesdropping (network capture) or reading data stored locally by the browser. After obtaining the token, the attacker can repeatedly and indefinitely use it to authenticate to the web application without needing to know the password.

Impact

An attacker possessing a stolen token gains full, unlimited-time access to the device's web interface, which may lead to disclosure of sensitive configuration data, modification of device settings, and potential disruption of its operation.

Mitigation & patch

Apply patches available from the manufacturer according to references. Additionally, it is recommended to segment OT/IT networks and restrict access to the device's web interface exclusively to trusted hosts through firewall rules.

Who is affected

Circutor Q-SMT with firmware version 1.0.4

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Circutor Q Smt

    HW
    Circutor
    wszystkie wersje
  • Circutor Q Smt Firmware

    OS
    Circutor
    1.0.4
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2024-8887CRITICAL10.0PL ✓ten sam produkt

Pominięcie uwierzytelnienia w Circutor Q-SMT umożliwia atak DoS

CVE-2024-8890HIGH8.0ten sam produkt

An attacker with access to the network where the CIRCUTOR Q-SMT is located in its firmware version 1.0.4, coul...

CVE-2024-8891MEDIUM5.3ten sam produkt

An attacker with no knowledge of the current users in the web application, could build a dictionary of potenti...

CVE-2025-11778CRITICAL10.0PL ✓ten sam vendor

Stack-based buffer overflow w Circutor SGE-PLC1000/SGE-PLC50 (TACACS+)

CVE-2025-11779CRITICAL9.4PL ✓ten sam vendor

Stack-based buffer overflow w Circutor SGE-PLC1000/SGE-PLC50 via SetLan