CVE-2024-54849

Vulnerability

The vulnerability affects the CP Plus CP-VNR-3104 network video recorder running firmware version B3223P22C02424. It allows an attacker to obtain the second RSA private key used by the device. The exact code path and configuration required to trigger the issue are not detailed in the available references, but the key exposure could occur through encryption/decryption routines or key storage flaws [1].

Exploitation

The official description [2] states that an attacker can obtain the second RSA private key. The required attacker capabilities (network position, authentication level, user interaction) are not explicitly described, but to exploit the key disclosure an attacker would need some level of access to the device, possibly through network communication or firmware analysis. The concrete steps are not publicly disclosed, but the key leak could be leveraged for man-in-the-middle attacks or decrypting sensitive data [1][2].

Impact

Successful exploitation allows an attacker to obtain the second RSA private key, which can then be used to access sensitive data (confidentiality breach) or execute a man-in-the-middle attack, potentially intercepting or modifying communications. The scope of compromise is device-level, affecting confidentiality and integrity of data processed by the CP-VNR-3104 [2].

Mitigation

As of the publication date (2025-01-10), no official patch or firmware update has been released by CP Plus to address this vulnerability. No workarounds are documented in the available references. Users should monitor the vendor's advisory channels for updates. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog at this time [2].