Pimax VR Security Breach: Hackers Could Exploit CVE-2024-41889 to Take Control

by do son · Published August 5, 2024 · Updated August 5, 2024

Image Credit: Pimax

In a recent security advisory, JPCERT/CC has highlighted a significant vulnerability affecting Pimax Play and PiTool, two critical components of the Pimax virtual reality (VR) ecosystem. This vulnerability tracked as CVE-2024-41889, has been assigned a CVSS score of 9.6, indicating its severe impact on affected systems.

Pimax Play and PiTool, essential tools developed by Pimax for managing their VR headsets and related peripherals, have been found to accept WebSocket connections from unintended endpoints. This flaw allows remote, unauthenticated attackers to potentially execute arbitrary code on vulnerable systems. The implications of such a vulnerability are far-reaching, given the growing reliance on VR technology in various sectors.

Affected products

Pimax Play: Versions prior to V1.21.01
PiTool: All versions

The exploitation of this vulnerability could lead to severe consequences, including unauthorized access to the user’s VR environment, data theft, and further network compromise. Given the immersive nature of VR technology, such intrusions could also lead to significant privacy breaches and unauthorized manipulation of the VR experience.

To mitigate the risks associated with CVE-2024-41889, JPCERT/CC and Pimax have issued the following recommendations:

Update the Software: Users of Pimax Play should immediately update to the latest version as specified by the developer. This update addresses the vulnerability by ensuring that WebSocket connections are restricted to intended endpoints only.
Discontinue Use of PiTool: As PiTool is no longer supported by the developer, it is strongly advised to cease using the product. Continuing to use unsupported software can expose users to unpatched vulnerabilities and ongoing security risks.