Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2024-40087

Summary
Assigner-mitre
Assigner Org ID-8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At-21 Oct, 2024 | 00:00
Updated At-22 Oct, 2024 | 17:04
Rejected At-
Credits

Vilo 5 Mesh WiFi System <= 5.16.1.33 is vulnerable to Insecure Permissions. Lack of authentication in the custom TCP service on port 5432 allows remote, unauthenticated attackers to gain administrative access over the router.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:mitre
Assigner Org ID:8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At:21 Oct, 2024 | 00:00
Updated At:22 Oct, 2024 | 17:04
Rejected At:
▼CVE Numbering Authority (CNA)

Vilo 5 Mesh WiFi System <= 5.16.1.33 is vulnerable to Insecure Permissions. Lack of authentication in the custom TCP service on port 5432 allows remote, unauthenticated attackers to gain administrative access over the router.

Affected Products
Vendor
n/a
Product
n/a
Versions
Affected
  • n/a
Problem Types
TypeCWE IDDescription
textN/An/a
Type: text
CWE ID: N/A
Description: n/a
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
http://vilo.com
N/A
https://github.com/byu-cybersecurity-research/vilo/blob/main/vulns/CVE-2024-40087.md
N/A
Hyperlink: http://vilo.com
Resource: N/A
Hyperlink: https://github.com/byu-cybersecurity-research/vilo/blob/main/vulns/CVE-2024-40087.md
Resource: N/A
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Vendor
viloliving
Product
vilo_5_mesh_wifi_system_firmware
CPEs
  • cpe:2.3:o:viloliving:vilo_5_mesh_wifi_system_firmware:*:*:*:*:*:*:*:*
Default Status
unknown
Versions
Affected
  • From 0 through 5.16.1.33 (custom)
Problem Types
TypeCWE IDDescription
CWECWE-306CWE-306 Missing Authentication for Critical Function
Type: CWE
CWE ID: CWE-306
Description: CWE-306 Missing Authentication for Critical Function
Metrics
VersionBase scoreBase severityVector
3.19.6CRITICAL
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Version: 3.1
Base score: 9.6
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cve@mitre.org
Published At:21 Oct, 2024 | 21:15
Updated At:07 Jul, 2025 | 17:37

Vilo 5 Mesh WiFi System <= 5.16.1.33 is vulnerable to Insecure Permissions. Lack of authentication in the custom TCP service on port 5432 allows remote, unauthenticated attackers to gain administrative access over the router.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.19.6CRITICAL
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Type: Secondary
Version: 3.1
Base score: 9.6
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CPE Matches
viloliving
viloliving
>>vilo_5_firmware>>Versions up to 5.16.1.33(inclusive)
cpe:2.3:o:viloliving:vilo_5_firmware:*:*:*:*:*:*:*:*
viloliving
viloliving
>>vilo_5>>-
cpe:2.3:h:viloliving:vilo_5:-:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-306Secondary134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE ID: CWE-306
Type: Secondary
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
http://vilo.comcve@mitre.org
Not Applicable
https://github.com/byu-cybersecurity-research/vilo/blob/main/vulns/CVE-2024-40087.mdcve@mitre.org
Third Party Advisory
Hyperlink: http://vilo.com
Source: cve@mitre.org
Resource:
Not Applicable
Hyperlink: https://github.com/byu-cybersecurity-research/vilo/blob/main/vulns/CVE-2024-40087.md
Source: cve@mitre.org
Resource:
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

9Records found
CVE-2024-40086
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-9.6||CRITICAL
EPSS-0.23% / 46.10%
||
7 Day CHG~0.00%
Published-21 Oct, 2024 | 00:00
Updated-23 Oct, 2024 | 15:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A Buffer Overflow vulnerability in the local_app_set_router_wifi_SSID_PWD function of Vilo 5 Mesh WiFi System <= 5.16.1.33 allows remote, unauthenticated attackers to execute arbitrary code via a password field larger than 64 bytes in length.

Action-Not Available
Vendor-n/aviloliving
Product-n/avilo_5_mesh_wifi_system_firmware
CWE ID-CWE-120
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
CVE-2024-40083
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-9.6||CRITICAL
EPSS-0.23% / 46.10%
||
7 Day CHG~0.00%
Published-21 Oct, 2024 | 00:00
Updated-23 Oct, 2024 | 15:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A Buffer Overflow vulnerabilty in the local_app_set_router_token function of Vilo 5 Mesh WiFi System <= 5.16.1.33 allows remote, unauthenticated attackers to execute arbitrary code via sscanf reading the token and timezone JSON fields into a fixed-length buffer.

Action-Not Available
Vendor-n/aviloliving
Product-n/avilo_5_mesh_wifi_system_firmware
CWE ID-CWE-120
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
CVE-2024-40085
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-9.6||CRITICAL
EPSS-0.23% / 46.10%
||
7 Day CHG~0.00%
Published-21 Oct, 2024 | 00:00
Updated-23 Oct, 2024 | 15:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A Buffer Overflow vulnerability in the local_app_set_router_wan function of Vilo 5 Mesh WiFi System <= 5.16.1.33 allows remote, unauthenticated attackers to execute arbitrary code via pppoe_username and pppoe_password fields being larger than 128 bytes in length.

Action-Not Available
Vendor-n/aviloliving
Product-n/avilo_5_mesh_wifi_system_firmware
CWE ID-CWE-120
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
CVE-2024-40084
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-9.6||CRITICAL
EPSS-0.39% / 59.47%
||
7 Day CHG~0.00%
Published-21 Oct, 2024 | 00:00
Updated-07 Jul, 2025 | 17:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A Buffer Overflow in the Boa webserver of Vilo 5 Mesh WiFi System <= 5.16.1.33 allows remote, unauthenticated attackers to execute arbitrary code via exceptionally long HTTP methods or paths.

Action-Not Available
Vendor-vilolivingn/aviloliving
Product-vilo_5_firmwarevilo_5n/avilo_5_mesh_wifi_system_firmware
CWE ID-CWE-120
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
CVE-2024-40091
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.10% / 28.92%
||
7 Day CHG~0.00%
Published-21 Oct, 2024 | 00:00
Updated-07 Jul, 2025 | 13:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Vilo 5 Mesh WiFi System <= 5.16.1.33 lacks authentication in the Boa webserver, which allows remote, unauthenticated attackers to retrieve logs with sensitive system.

Action-Not Available
Vendor-vilolivingn/aviloliving
Product-vilo_5_firmwarevilo_5n/avilo_5_mesh_wifi_system_firmware
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2021-3825
Matching Score-4
Assigner-TR-CERT (Computer Emergency Response Team of the Republic of Türkiye)
ShareView Details
Matching Score-4
Assigner-TR-CERT (Computer Emergency Response Team of the Republic of Türkiye)
CVSS Score-9.6||CRITICAL
EPSS-0.40% / 60.17%
||
7 Day CHG~0.00%
Published-01 Oct, 2021 | 14:36
Updated-16 Sep, 2024 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Missing Authorization Checks in LiderAhenk

On 2.1.15 version and below of Lider module in LiderAhenk software is leaking it's configurations via an unsecured API. An attacker with an access to the configurations API could get valid LDAP credentials.

Action-Not Available
Vendor-pardusTUBITAK
Product-liderahenkLider
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2024-23618
Matching Score-4
Assigner-Exodus Intelligence
ShareView Details
Matching Score-4
Assigner-Exodus Intelligence
CVSS Score-9.6||CRITICAL
EPSS-0.27% / 50.50%
||
7 Day CHG~0.00%
Published-25 Jan, 2024 | 23:35
Updated-17 Jun, 2025 | 21:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Arris SURFboard SBG6950AC2 Arbitrary Code Execution Vulnerability

An arbitrary code execution vulnerability exists in Arris SURFboard SGB6950AC2 devices. An unauthenticated attacker can exploit this vulnerability to achieve code execution as root.

Action-Not Available
Vendor-commscopeArris
Product-arris_surfboard_sbg6950ac2arris_surfboard_sbg6950ac2_firmwareSURFboard SBG6950AC2
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2025-48469
Matching Score-4
Assigner-5f57b9bf-260d-4433-bf07-b6a79e9bb7d4
ShareView Details
Matching Score-4
Assigner-5f57b9bf-260d-4433-bf07-b6a79e9bb7d4
CVSS Score-9.6||CRITICAL
EPSS-0.09% / 26.04%
||
7 Day CHG-0.01%
Published-24 Jun, 2025 | 02:17
Updated-09 Jul, 2025 | 15:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Unauthenticated Firmware Upload

Successful exploitation of the vulnerability could allow an unauthenticated attacker to upload firmware through a public update page, potentially leading to backdoor installation or privilege escalation.

Action-Not Available
Vendor-Advantech (Advantech Co., Ltd.)
Product-wise-4010lanwise-4060lanwise-4010lan_firmwarewise-4050lanwise-4060lan_firmwarewise-4050lan_firmwareAdvantech Wireless Sensing and Equipment (WISE)
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2021-36779
Matching Score-4
Assigner-SUSE
ShareView Details
Matching Score-4
Assigner-SUSE
CVSS Score-9.6||CRITICAL
EPSS-0.05% / 16.45%
||
7 Day CHG~0.00%
Published-17 Dec, 2021 | 08:55
Updated-16 Sep, 2024 | 23:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Host operations allowed in privileged Longhorn managed pods

A Missing Authentication for Critical Function vulnerability in SUSE Longhorn allows any workload in the cluster to execute any binary present in the image on the host without authentication. This issue affects: SUSE Longhorn longhorn versions prior to 1.1.3; longhorn versions prior to 1.2.3.

Action-Not Available
Vendor-The Linux FoundationSUSE
Product-longhornLonghorn
CWE ID-CWE-306
Missing Authentication for Critical Function
Details not found