Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2024-29843

CVE-2024-29843: Cs-technologies Evolution Disclosure Flaw

CVE-2024-29843 is an information disclosure vulnerability in Cs-technologies Evolution Controller that allows unauthenticated attackers to enumerate users and access levels. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2024-29843 Overview

CVE-2024-29843 affects the web interface of CS-Technologies Evolution Controller versions 2.04.560.31.03.2024 and below. The vulnerability stems from poorly configured access control on the MOBILE_GET_USERS_LIST endpoint. An unauthenticated remote attacker can enumerate all users registered on the controller along with their assigned access levels. The flaw is categorized under [CWE-200] (Exposure of Sensitive Information to an Unauthorized Actor). Evolution Controllers are access control systems deployed in physical security environments, making exposed user data valuable for follow-on attacks against facility access.

Critical Impact

Unauthenticated attackers can retrieve the complete user roster and privilege levels from affected Evolution Controllers over the network.

Affected Products

  • CS-Technologies Evolution Controller versions 2.04.560.31.03.2024 and earlier
  • Evolution Controller web interface component
  • Deployments exposing the MOBILE_GET_USERS_LIST endpoint to untrusted networks

Discovery Timeline

  • 2024-04-15 - CVE-2024-29843 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2024-29843

Vulnerability Analysis

The Evolution Controller exposes a web interface that handles mobile client requests through endpoints prefixed with MOBILE_. The MOBILE_GET_USERS_LIST endpoint returns the complete list of users provisioned on the controller, including their corresponding access levels. The endpoint lacks authentication and authorization checks, processing requests from any network-reachable client. Attackers can issue a single HTTP request to harvest user identifiers and privilege tiers without supplying credentials. The disclosed information enables targeted password attacks, social engineering, and privilege-tier mapping against the physical access system.

Root Cause

The root cause is a missing access control check on the MOBILE_GET_USERS_LIST handler. The application does not validate session tokens or enforce role-based authorization before returning sensitive user data. This violates the principle of least privilege and aligns with [CWE-200] information exposure patterns.

Attack Vector

The attack vector is network-based and requires no authentication or user interaction. An attacker with network reachability to the controller's web interface sends a crafted HTTP request to the vulnerable endpoint. The response contains the enumerated user list and access-level metadata. Refer to the DirectCyber Vulnerability Analysis for additional technical context across the CVE-2024-29836 through CVE-2024-29844 cluster.

Detection Methods for CVE-2024-29843

Indicators of Compromise

  • HTTP requests to the MOBILE_GET_USERS_LIST endpoint from unexpected source addresses
  • Unauthenticated GET or POST traffic to the Evolution Controller web interface from outside management networks
  • Response payloads from the controller containing full user lists transmitted to non-administrative clients

Detection Strategies

  • Inspect controller access logs for requests targeting MOBILE_* endpoints without prior authentication events
  • Deploy network signatures on perimeter sensors that flag HTTP traffic to Evolution Controller management URIs originating from non-trusted segments
  • Correlate user-list responses with subsequent authentication attempts to identify reconnaissance-to-exploitation chains

Monitoring Recommendations

  • Centralize Evolution Controller web interface logs into a SIEM for long-term analysis and alerting on anomalous endpoint access
  • Baseline legitimate mobile client traffic patterns and alert on deviations in source IP, frequency, or request volume
  • Monitor outbound traffic from controllers to detect data exfiltration following enumeration activity

How to Mitigate CVE-2024-29843

Immediate Actions Required

  • Restrict network access to the Evolution Controller web interface using firewall rules that permit only authorized management hosts
  • Place affected controllers behind a VPN or management VLAN to remove direct exposure from untrusted networks
  • Audit existing user accounts and access levels on each controller to identify accounts that may already be targeted

Patch Information

No vendor advisory URL is referenced in the NVD record. Operators should contact CS-Technologies directly for firmware updates that address the access control flaw on MOBILE_GET_USERS_LIST. Confirm fixed versions supersede 2.04.560.31.03.2024 before deployment. Review the DirectCyber Vulnerability Analysis for coordinated remediation guidance covering the full CVE cluster.

Workarounds

  • Block external access to the controller's HTTP/HTTPS management ports at the network edge
  • Apply IP allowlisting on the controller or upstream firewall to restrict MOBILE_* endpoint access to known mobile client subnets
  • Disable the mobile interface if mobile client functionality is not required in the deployment
bash
# Example iptables rule restricting controller web interface to management subnet
iptables -A INPUT -p tcp --dport 80 -s 10.10.50.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s 10.10.50.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.