CVE-2024-42483

MEDIUM EPSS 21.7%
Published Sep 12, 20241y ago · Modified Jun 17, 20262w ago
6.5 CVSS 3.1
Medium
Find Similar
Published Sep 12, 2024 1y ago
Last Modified Jun 17, 2026 2w ago

Description

ESP-NOW Component provides a connectionless Wi-Fi communication protocol. An replay attacks vulnerability was discovered in the implementation of the ESP-NOW because the caches is not differentiated by message types, it is a single, shared resource for all kinds of messages, whether they are broadcast or unicast, and regardless of whether they are ciphertext or plaintext. This can result an attacker to clear the cache of its legitimate entries, there by creating an opportunity to re-inject previously captured packets. This vulnerability is fixed in 2.5.2.

CVSS Details

Base Score
6.5
Exploitability
2.8
Impact
3.6
Vector string
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector Adjacent
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality None
Integrity High
Availability None

Threat Intelligence

EPSS Exploit Probability
21.7% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 2

CWE-345
CWE-349

Affected Products 1

VendorProductVersionRange
espressifesp-now* <2.5.2

References 2

  • github.com https://github.com/espressif/esp-now/commit/4e30db50d541b2909d278ef0db05de1a3d7190ef
    Patch
  • github.com https://github.com/espressif/esp-now/security/advisories/GHSA-wf6q-c2xr-77xj
    ExploitThird Party Advisory

Remediation

  • github.com https://github.com/espressif/esp-now/commit/4e30db50d541b2909d278ef0db05de1a3d7190ef
    Patch