CVE-2024-29840 Overview
CVE-2024-29840 affects the Web interface of the CS Technologies Evolution Controller, an access control system. The vulnerability stems from misconfigured access control on the DESKTOP_EDIT_USER_GET_PIN_FIELDS endpoint. An unauthenticated remote attacker can query this endpoint to retrieve the PIN value of any user registered on the controller. The issue affects Evolution Controller versions 2.04.560.31.03.2024 and below. The flaw is classified under [CWE-200] Information Exposure. Because PINs are used to authorize physical access through the controller, disclosure directly undermines the security boundary the device enforces.
Critical Impact
An unauthenticated network attacker can extract user PIN codes from the Evolution Controller, enabling unauthorized physical access to facilities protected by the system.
Affected Products
- CS Technologies Evolution Controller versions 2.04.560.31.03.2024 and below
- Web interface component exposing the DESKTOP_EDIT_USER_GET_PIN_FIELDS function
- Deployments where the controller Web interface is reachable over the network
Discovery Timeline
- 2024-04-15 - CVE-2024-29840 published to NVD
- 2025-12-10 - Last updated in NVD database
- Advisory published by Direct Cyber Security Advisory
Technical Details for CVE-2024-29840
Vulnerability Analysis
The Evolution Controller exposes a Web interface that handles administrative operations through named functions. One of these functions, DESKTOP_EDIT_USER_GET_PIN_FIELDS, returns the stored PIN value associated with a user record. The endpoint does not verify that the caller holds an authenticated administrative session before returning the data. Any party able to send HTTP requests to the controller can invoke the function and receive the PIN in the response. The result is a direct disclosure of credentials that grant physical access through readers, doors, or gates managed by the device.
Root Cause
The root cause is broken access control on a sensitive administrative function [CWE-200]. The handler for DESKTOP_EDIT_USER_GET_PIN_FIELDS omits the authentication and authorization check applied to other administrative endpoints. The function treats requests as trusted regardless of session state. Sensitive identifiers are returned in cleartext within the HTTP response body.
Attack Vector
The attack vector is network based and requires no authentication or user interaction. An attacker with reachability to the Evolution Controller Web interface issues a request targeting the DESKTOP_EDIT_USER_GET_PIN_FIELDS function with a target user identifier. The controller responds with the PIN value. The attacker can iterate over user identifiers to enumerate PINs across the entire user base. Refer to the Direct Cyber Security Advisory for the request details disclosed by the researchers.
Detection Methods for CVE-2024-29840
Indicators of Compromise
- HTTP requests to the controller Web interface referencing DESKTOP_EDIT_USER_GET_PIN_FIELDS from unexpected source addresses
- Unauthenticated sessions issuing administrative function calls
- Sequential or scripted requests enumerating user identifiers against the controller
- Web server access logs showing 200 responses to the PIN function without a prior authentication request
Detection Strategies
- Inspect Web interface access logs for any reference to DESKTOP_EDIT_USER_GET_PIN_FIELDS and validate that the source corresponds to an authorized administrator
- Alert on requests to administrative endpoints originating from outside the management network segment
- Correlate door-open events with PIN usage anomalies that may indicate compromised credentials
Monitoring Recommendations
- Forward controller Web logs to a central log platform with retention sufficient for incident response
- Baseline normal administrative request volume and rate, then alert on deviations
- Monitor for repeated requests iterating over user IDs, which suggests enumeration
How to Mitigate CVE-2024-29840
Immediate Actions Required
- Restrict network access to the Evolution Controller Web interface to a dedicated management VLAN or jump host
- Remove any direct exposure of the controller to the internet or untrusted networks
- Rotate all user PINs after confirming no prior exposure and review recent access logs for misuse
- Contact CS Technologies for a fixed firmware build that enforces authentication on the affected function
Patch Information
The published advisory identifies Evolution Controller versions 2.04.560.31.03.2024 and below as vulnerable. Operators should obtain an updated firmware release directly from CS Technologies that addresses CVE-2024-29840 and the related CVE-2024-29836 through CVE-2024-29844 series documented in the Direct Cyber Security Advisory. Verify the running firmware version after the update and confirm the affected endpoint requires authentication.
Workarounds
- Place the controller behind a firewall that permits administrative HTTP access only from approved IP addresses
- Require VPN access for all administrators reaching the controller management interface
- Disable or filter the Web interface at the network layer until a patched firmware is installed
- Audit user records and reduce stored PINs to the minimum required population while a fix is pending
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
