CVE-2024-29842 Overview
CVE-2024-29842 affects the Web interface of CS Technologies Evolution Controller versions 2.04.560.31.03.2024 and below. The flaw stems from poorly configured access control on the DESKTOP_EDIT_USER_GET_ABACARD_FIELDS endpoint. An unauthenticated remote attacker can query this endpoint to return the abacard field of any user registered in the controller. The Evolution Controller is an access control product, so leaked card field data can directly support facility intrusion. The vulnerability is one of a cluster (CVE-2024-29836 through CVE-2024-29844) disclosed by DirectCyber covering the same product line.
Critical Impact
Unauthenticated network attackers can extract sensitive access card identifiers from any user account in the controller, enabling downstream physical access compromise.
Affected Products
- CS Technologies Evolution Controller version 2.04.560.31.03.2024
- All prior CS Technologies Evolution Controller firmware versions
- Web interface component exposing DESKTOP_EDIT_USER_GET_ABACARD_FIELDS
Discovery Timeline
- 2024-04-15 - CVE-2024-29842 published to the National Vulnerability Database (NVD)
- 2025-12-10 - Last updated in NVD database
Technical Details for CVE-2024-29842
Vulnerability Analysis
The vulnerability is a broken access control issue classified under [CWE-200] Exposure of Sensitive Information to an Unauthorized Actor. The Evolution Controller exposes a web management interface that includes the DESKTOP_EDIT_USER_GET_ABACARD_FIELDS action. This action returns the abacard field, which holds the access card identifier associated with a user account. The endpoint does not enforce authentication or session validation before returning data. Any attacker with network reachability to the controller's web interface can invoke the action and harvest card field values across the user database.
Root Cause
The root cause is missing authorization on a sensitive read endpoint. The handler trusts the request without verifying that the caller holds an authenticated administrative session. Card field data should be restricted to privileged operators, but the function path bypasses the access control layer entirely.
Attack Vector
Exploitation requires only network access to the controller's web interface. The attacker issues an HTTP request to the DESKTOP_EDIT_USER_GET_ABACARD_FIELDS action with a target user identifier and receives the card field in the response. No credentials, user interaction, or special privileges are required. The attack is fully unauthenticated and remotely triggerable. Refer to the DirectCyber Vulnerability Overview for additional context across the disclosed cluster.
Detection Methods for CVE-2024-29842
Indicators of Compromise
- HTTP requests to the web interface referencing the DESKTOP_EDIT_USER_GET_ABACARD_FIELDS action string
- Sequential or enumerated requests against user identifier parameters from a single source address
- Responses from the controller containing abacard field values returned to unauthenticated sessions
Detection Strategies
- Inspect web server and reverse proxy logs for any access to endpoints containing DESKTOP_EDIT_USER_GET_ABACARD_FIELDS
- Alert on requests to the controller's management interface originating from addresses outside the authorized operator network
- Correlate large volumes of user-field queries with the absence of a prior authenticated login event
Monitoring Recommendations
- Forward Evolution Controller web access logs to a centralized log platform for retention and search
- Baseline normal administrative request patterns and alert on deviations targeting user data endpoints
- Monitor north-south traffic to controller management ports for unauthenticated session activity
How to Mitigate CVE-2024-29842
Immediate Actions Required
- Restrict network reachability to the Evolution Controller web interface using firewall rules or VLAN segmentation
- Place the controller behind a VPN or jump host so the management interface is not exposed to untrusted networks
- Audit existing user abacard values and rotate or reissue access credentials suspected of exposure
- Contact CS Technologies for firmware guidance addressing the access control failure
Patch Information
No vendor advisory URL or fixed version is listed in the NVD record at the time of writing. Operators should contact CS Technologies directly and consult the DirectCyber Vulnerability Overview for the latest vendor remediation status. Apply any firmware update beyond version 2.04.560.31.03.2024 once published.
Workarounds
- Block external access to the controller's HTTP and HTTPS management ports at the perimeter firewall
- Limit web interface access to a dedicated administrative subnet using access control lists
- Disable the web management interface when not actively used for configuration tasks
- Monitor and rate-limit requests to user-data endpoints using a web application firewall in front of the controller
# Example iptables rules restricting Evolution Controller web access to an admin subnet
iptables -A INPUT -p tcp --dport 443 -s 10.10.50.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP
iptables -A INPUT -p tcp --dport 80 -s 10.10.50.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

