CVE-2025-24840

Vulnerability

Overview

CVE-2025-24840 describes an improper access control vulnerability in Edge Orchestrator software for Intel(R) Tiber(TM) Edge Platform prior to version 24.11.1. The flaw allows an unauthenticated attacker with adjacent network access to potentially escalate privileges [1]. The root cause is insufficient access control mechanisms that fail to properly validate requests, enabling unauthorized operations on the orchestration component.

Attack

Scenario

An attacker must be on the same network segment as the affected Edge Orchestrator instance (adjacent access). No prior authentication is required; the attacker can send crafted requests to the vulnerable service to exploit the improper access controls. The adjacent network requirement places the attack surface primarily within local network environments or broadcast domains [1].

Impact

Successful exploitation could allow the attacker to escalate privileges, potentially gaining higher-level permissions within the orchestration platform. This could lead to unauthorized configuration changes, data access, or further compromise of the edge platform's components. The CVSS v3 base score of 5.8 (Medium) reflects the moderate severity and the need for adjacent network access [1].

Mitigation

Intel has released software version 24.11.1 to address this vulnerability. Users are strongly advised to update their Edge Orchestrator software to the latest version. No workarounds have been published; the fix is available through the Intel security advisory INTEL-SA-01317 [1].