Bitdefender Releases Updates Fixing Critical Vulnerabilities - 20250313002

Overview

Bitdefender has released updates to fix two critical vulnerabilities in Bitdefender BOX.

• The CVE-2024-13871 flaw allows an unauthenticated, network-adjacent attacker to execute arbitrary commands on the device, potentially leading to remote code execution.
• The CVE-2024-13872 flaw uses insecure HTTP protocols to download assets over the Internet which update and restart daemons and detection rules on devices. Such updates can be remotely triggered through /set_temp_token API method, and the attacker can use man-in-the-middle (MITM) techniques via remote code execution to return malicious responses.

What is vulnerable?

Product(s) Affected	Version(s)	CVE	CVSS	Severity
Bitdefender	BOX v1 (Firmware version 1.3.11.490)	CVE-2024-13871	9.4	Critical
Bitdefender	BOX (Versions 1.3.11.490 through 1.3.11.505)	CVE-2024-13872	9.4	Critical

What has been observed?

There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing.

Recommendation

The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of 48 hours (refer Patch Management):

• Bitdefender Security Advisory CVE-2024-13871: https://www.bitdefender.com/support/security-advisories/unauthenticated-command-injection-in-bitdefender-box-v1/
• Bitdefender Security Advisory CVE-2024-13872: https://www.bitdefender.com/support/security-advisories/insecure-update-mechanism-vulnerability-in-libboxhermes-so-in-bitdefender-box-v1/

Third Party Article

• Dark Web Informer Article: https://darkwebinformer.com/cve-2024-13871-cve-2024-13872-unauthenticated-command-injection-in-bitdefender-box-v1-and-insecure-update-mechanism-vulnerability-in-libboxhermes-so-in-bitdefender-box-v1/