CVE-2024-25830

F-logic DataCube3 v1.0 is vulnerable to Incorrect Access Control due to an improper directory access restriction. An unauthenticated, remote attacker can exploit this, by sending a URI that contains the path of the configuration file. A successful exploit could allow the attacker to extract the root and admin password.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://neroteam.com/blog/f-logic-datacube3-vulnerability-report	Exploit Third Party Advisory
https://neroteam.com/blog/f-logic-datacube3-vulnerability-report	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:f-logic:datacube3_firmware:1.0:*:*:*:*:*:*:*

cpe:2.3:h:f-logic:datacube3:-:*:*:*:*:*:*:*

History

No history.

Information

Published : 2024-02-29 01:44

Updated : 2025-06-10 19:22

NVD link : CVE-2024-25830

Mitre link : CVE-2024-25830

CVE.ORG link : CVE-2024-25830

JSON object : View

Products Affected

f-logic

datacube3
datacube3_firmware

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-284

Improper Access Control

{"id": "CVE-2024-25830", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2024-02-29T01:44:16.533", "references": [{"url": "https://neroteam.com/blog/f-logic-datacube3-vulnerability-report", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://neroteam.com/blog/f-logic-datacube3-vulnerability-report", "tags": ["Exploit", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-22"}, {"lang": "en", "value": "CWE-284"}]}], "descriptions": [{"lang": "en", "value": "F-logic DataCube3 v1.0 is vulnerable to Incorrect Access Control due to an improper directory access restriction. An unauthenticated, remote attacker can exploit this, by sending a URI that contains the path of the configuration file. A successful exploit could allow the attacker to extract the root and admin password."}, {"lang": "es", "value": "F-logic DataCube3 v1.0 es vulnerable a un control de acceso incorrecto debido a una restricci\u00f3n de acceso al directorio incorrecta. Un atacante remoto no autenticado puede aprovechar esto enviando un URI que contenga la ruta del archivo de configuraci\u00f3n. Un exploit exitoso podr\u00eda permitir al atacante extraer la contrase\u00f1a de root y de administrador."}], "lastModified": "2025-06-10T19:22:13.847", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:f-logic:datacube3_firmware:1.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1F73E586-1AD1-4280-B63B-CFB91BD33BF0"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:f-logic:datacube3:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "C0F1221C-A9CB-4625-AABD-2E4890FA6E93"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "cve@mitre.org"}