CVE-2024-41977

Name of the Vulnerable Software and Affected Versions: RUGGEDCOM RM1224 LTE(4G) EU versions prior to V8.1 RUGGEDCOM RM1224 LTE(4G) NAM versions prior to V8.1 SCALANCE M804PB versions prior to V8.1 SCALANCE M812-1 ADSL-Router family versions prior to V8.1 SCALANCE M816-1 ADSL-Router family versions prior to V8.1 SCALANCE M826-2 SHDSL-Router versions prior to V8.1 SCALANCE M874-2 versions prior to V8.1 SCALANCE M874-3 versions prior to V8.1 SCALANCE M874-3 3G-Router (CN) versions prior to V8.1 SCALANCE M876-3 versions prior to V8.1 SCALANCE M876-3 (ROK) versions prior to V8.1 SCALANCE M876-4 versions prior to V8.1 SCALANCE M876-4 (EU) versions prior to V8.1 SCALANCE M876-4 (NAM) versions prior to V8.1 SCALANCE MUM853-1 (A1) versions prior to V8.1 SCALANCE MUM853-1 (B1) versions prior to V8.1 SCALANCE MUM853-1 (EU) versions prior to V8.1 SCALANCE MUM856-1 (A1) versions prior to V8.1 SCALANCE MUM856-1 (B1) versions prior to V8.1 SCALANCE MUM856-1 (CN) versions prior to V8.1 SCALANCE MUM856-1 (EU) versions prior to V8.1 SCALANCE MUM856-1 (RoW) versions prior to V8.1 SCALANCE S615 EEC LAN-Router versions prior to V8.1 SCALANCE S615 LAN-Router versions prior to V8.1

Description: The affected devices do not properly enforce isolation between user sessions in their web server component. This could allow an authenticated remote attacker to escalate their privileges on the devices. The issue is related to the exposure of user session data to wrong sessions.

Recommendations: For all affected versions, upgrade the components to version V8.1 or later to mitigate the risks. As a temporary workaround, consider restricting access to the web server component until a patch is available. Avoid using sensitive operations in the affected devices until the issue is resolved. At the moment, there is no information about additional mitigation measures.