CVE-2024-13871

Name of the Vulnerable Software and Affected Versions: Bitdefender Box 1 version 1.3.11.490

Description: A command injection vulnerability exists in the "/check image and trigger recovery" API endpoint, allowing an unauthenticated, network-adjacent attacker to execute arbitrary commands on the device, potentially leading to full remote code execution (RCE).

Recommendations: For Bitdefender Box 1 version 1.3.11.490, as a temporary workaround, consider disabling access to the "/check image and trigger recovery" API endpoint until a patch is available. Restrict access to this endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.