What is the severity of CVE-2024-13872?

CVE-2024-13872 is considered a high severity vulnerability due to the use of insecure HTTP protocol for downloading updates.

How do I fix CVE-2024-13872?

To fix CVE-2024-13872, update your Bitdefender Box to version 1.3.11.506 or later, which resolves the insecure update mechanism.

What versions of Bitdefender Box are affected by CVE-2024-13872?

CVE-2024-13872 affects Bitdefender Box versions from 1.3.11.490 to 1.3.11.505.

What can an attacker do by exploiting CVE-2024-13872?

An attacker exploiting CVE-2024-13872 could potentially download malicious assets to the device due to the insecure update mechanism.

Is there a workaround for CVE-2024-13872 until a fix is applied?

There is no official workaround for CVE-2024-13872 other than upgrading to the fixed version as soon as possible.

Vulnerability/
CVE-2024-13872

critical

9.4

CWE

319

12/3/2025

CVE-2024-13872: Bitdefender Box Insecure Update Mechanism Vulnerability in libboxhermes.so

First published: Wed Mar 12 2025(Updated: )

Bitdefender Box, versions 1.3.11.490 through 1.3.11.505, uses the insecure HTTP protocol to download assets over the Internet to update and restart daemons and detection rules on the devices. Updates can be remotely triggered through the /set_temp_token API method. Then, an unauthenticated and network-adjacent attacker can use man-in-the-middle (MITM) techniques to return malicious responses. Restarted daemons that use malicious assets can then be exploited for remote code execution on the device.

Credit: cve-requests@bitdefender.com

Affected Software	Affected Version	How to fix
Bitdefender Box	>=1.3.11.490<=1.3.11.505

Remedy

An automatic update to version 1.3.11.505 fixes the issue.

Never miss a vulnerability like this again

Reference Links

https://bitdefender.com/support/security-advisories/insecure-update-mechanism-vulnerability-in-libboxhermes-so-in-bitdefender-box-v1

Frequently Asked Questions

What is the severity of CVE-2024-13872?
CVE-2024-13872 is considered a high severity vulnerability due to the use of insecure HTTP protocol for downloading updates.
How do I fix CVE-2024-13872?
To fix CVE-2024-13872, update your Bitdefender Box to version 1.3.11.506 or later, which resolves the insecure update mechanism.
What versions of Bitdefender Box are affected by CVE-2024-13872?
CVE-2024-13872 affects Bitdefender Box versions from 1.3.11.490 to 1.3.11.505.
What can an attacker do by exploiting CVE-2024-13872?
An attacker exploiting CVE-2024-13872 could potentially download malicious assets to the device due to the insecure update mechanism.
Is there a workaround for CVE-2024-13872 until a fix is applied?
There is no official workaround for CVE-2024-13872 other than upgrading to the fixed version as soon as possible.

collector/mitre-cve
source/MITRE
agent/remedy
agent/title
agent/weakness
agent/references
agent/description
agent/first-publish-date
agent/type
agent/guess-ai
agent/software-canonical-lookup
agent/software-canonical-lookup-request
agent/softwarecombine
collector/nvd-api
source/NVD
agent/last-modified-date
agent/source
agent/author
agent/severity
agent/tags
agent/event
vendor/bitdefender
canonical/bitdefender box

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.