CVE-2024-29841 Overview
CVE-2024-29841 is a broken access control vulnerability in the Web interface of CS Technologies Evolution Controller versions 2.04.560.31.03.2024 and below. The flaw exists in the DESKTOP_EDIT_USER_GET_KEYS_FIELDS endpoint, which lacks proper authentication checks. An unauthenticated remote attacker can query the endpoint and retrieve the keys value of any user stored on the controller. The issue is classified under CWE-200: Exposure of Sensitive Information to an Unauthorized Actor.
Critical Impact
Unauthenticated remote attackers can extract user key values from Evolution Controller deployments over the network, exposing credentials that may unlock physical access to controlled facilities.
Affected Products
- CS Technologies Evolution Controller version 2.04.560.31.03.2024
- All Evolution Controller versions prior to 2.04.560.31.03.2024
- Evolution Controller Web management interface
Discovery Timeline
- 2024-04-15 - CVE-2024-29841 published to NVD
- 2025-12-10 - Last updated in NVD database
Technical Details for CVE-2024-29841
Vulnerability Analysis
The Evolution Controller exposes a Web management interface used to configure users, credentials, and access rules for physical access control systems. The DESKTOP_EDIT_USER_GET_KEYS_FIELDS action is intended to support administrative editing of user key fields and should require an authenticated administrative session. The implementation does not enforce that authorization check, leaving the endpoint reachable by any network client able to talk to the Web interface.
An attacker who can send HTTP requests to the controller can request key field data for arbitrary user accounts. The keys returned by this endpoint correspond to physical access credentials provisioned on the controller. Exposure of these values undermines the integrity of the access control deployment, since recovered key data can be cloned onto credentials or replayed to gain entry.
Root Cause
The root cause is missing authorization on a sensitive Web action. The endpoint trusts that callers reaching DESKTOP_EDIT_USER_GET_KEYS_FIELDS have already authenticated as administrators, but the server does not validate any session or role before returning data. This is a classic broken access control pattern aligned with [CWE-200].
Attack Vector
Exploitation requires network reachability to the controller's Web interface and no user interaction or prior credentials. The attacker issues a crafted HTTP request to the vulnerable action and parses the response containing the target user's keys. Confidentiality impact is high, while integrity and availability are not directly affected by this specific issue. Details of the request format are documented in the DirectCyber Vulnerability Report.
Detection Methods for CVE-2024-29841
Indicators of Compromise
- Unauthenticated HTTP requests targeting the DESKTOP_EDIT_USER_GET_KEYS_FIELDS action in Web server logs.
- Repeated enumeration patterns iterating user identifiers against the Evolution Controller Web interface.
- Inbound traffic to the controller from source addresses outside the expected management network.
Detection Strategies
- Inspect Web server and reverse proxy logs for requests containing the string DESKTOP_EDIT_USER_GET_KEYS_FIELDS without an associated authenticated session cookie.
- Alert on bursts of requests to the Evolution Controller Web interface originating from a single source within a short window.
- Correlate access to the controller from non-management VLANs or external IP ranges with sensitive endpoint URIs.
Monitoring Recommendations
- Forward Evolution Controller Web logs to a centralized SIEM and apply rules covering known sensitive endpoints.
- Monitor NetFlow or firewall logs for unexpected sessions to the controller's management port.
- Track configuration changes and key field reads to identify post-exploitation activity against access credentials.
How to Mitigate CVE-2024-29841
Immediate Actions Required
- Restrict network access to the Evolution Controller Web interface to dedicated management subnets using firewall or ACL rules.
- Place the controller behind a VPN or jump host so it is not reachable from general user networks or the internet.
- Audit existing user keys and rotate credentials that may have been exposed prior to remediation.
Patch Information
CS Technologies addresses the issue in releases after version 2.04.560.31.03.2024. Operators should upgrade to the latest firmware available from the vendor and confirm the fix by validating that DESKTOP_EDIT_USER_GET_KEYS_FIELDS rejects unauthenticated requests. Refer to the DirectCyber Vulnerability Report for full advisory details covering CVE-2024-29836 through CVE-2024-29844.
Workarounds
- Block external access to the controller's HTTP and HTTPS ports at the perimeter firewall until the device is patched.
- Enforce source IP allowlisting on the Web interface so only known administrative workstations can reach it.
- Disable or segment any unused network interfaces on the controller to reduce the attack surface.
# Example: restrict Evolution Controller Web access to a management subnet
iptables -A INPUT -p tcp --dport 80 -s 10.10.50.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s 10.10.50.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

