Unrated severityNVD Advisory· Published Mar 12, 2025· Updated Mar 12, 2025

Unauthenticated Command Injection in Bitdefender BOX v1

CVE-2024-13871

Description

A command injection vulnerability exists in the /check_image_and_trigger_recovery API endpoint of Bitdefender Box 1 (firmware version 1.3.11.490). This flaw allows an unauthenticated, network-adjacent attacker to execute arbitrary commands on the device, potentially leading to full remote code execution (RCE).

Affected products

Bitdefender/Box 1llm-create
Range: = firmware 1.3.11.490
Bitdefender/BOX v1v5
Range: 1.3.11.490

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

bitdefender.com/support/security-advisories/unauthenticated-command-injection-in-bitdefender-box-v1mitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.002
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000