A command injection vulnerability exists in the /check_image_and_trigger_recovery API endpoint of Bitdefender Box 1 (firmware version 1.3.11.490). This flaw allows an unauthenticated, network-adjacent attacker to execute arbitrary commands on the device, potentially leading to full remote code execution (RCE).
Fixes

Solution

An automatic update to firmware version 1.3.11.505 fixes the issue.


Workaround

No workaround given by the vendor.

History

Wed, 30 Jul 2025 00:45:00 +0000

Type Values Removed Values Added
First Time appeared Bitdefender
Bitdefender box
Bitdefender box Firmware
CPEs cpe:2.3:h:bitdefender:box:-:*:*:*:*:*:*:*
cpe:2.3:o:bitdefender:box_firmware:1.3.11.490:*:*:*:*:*:*:*
Vendors & Products Bitdefender
Bitdefender box
Bitdefender box Firmware
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Sat, 12 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.002}

epss

{'score': 0.00235}


Wed, 12 Mar 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 12 Mar 2025 12:00:00 +0000

Type Values Removed Values Added
Description A command injection vulnerability exists in the /check_image_and_trigger_recovery API endpoint of Bitdefender Box 1 (firmware version 1.3.11.490). This flaw allows an unauthenticated, network-adjacent attacker to execute arbitrary commands on the device, potentially leading to full remote code execution (RCE).
Title Unauthenticated Command Injection in Bitdefender BOX v1
Weaknesses CWE-77
References
Metrics cvssV4_0

{'score': 9.4, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: Bitdefender

Published:

Updated: 2025-03-12T14:03:01.498Z

Reserved: 2025-02-13T17:36:44.713Z

Link: CVE-2024-13871

cve-icon Vulnrichment

Updated: 2025-03-12T14:02:55.334Z

cve-icon NVD

Status : Analyzed

Published: 2025-03-12T12:15:14.087

Modified: 2025-07-30T00:40:32.137

Link: CVE-2024-13871

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.