CVE-2024-45861 Overview
CVE-2024-45861 is a hard-coded credential vulnerability affecting Kastle Systems access control firmware released prior to May 1, 2024. An attacker with network access to an affected device can use the embedded credential to retrieve sensitive information from the system. The flaw is tracked under [CWE-798: Use of Hard-coded Credentials] and was disclosed in CISA ICS Advisory ICSA-24-263-05. The vulnerability is remotely exploitable without authentication or user interaction, which makes the access control hardware a direct exposure point for facilities relying on Kastle for physical security.
Critical Impact
A remote, unauthenticated attacker can leverage a hard-coded credential in Kastle access control firmware to access sensitive information stored on or processed by the device.
Affected Products
- Kastle Access Control System Firmware versions released prior to May 1, 2024
- Kastle Access Control System hardware running affected firmware
- Deployments referenced under CPE cpe:2.3:o:kastle:access_control_system_firmware and cpe:2.3:h:kastle:access_control_system
Discovery Timeline
- 2024-09-19 - CVE-2024-45861 published to the National Vulnerability Database
- 2024-09-30 - Last updated in NVD database
Technical Details for CVE-2024-45861
Vulnerability Analysis
The vulnerability stems from a hard-coded credential embedded in Kastle Systems access control firmware shipped before May 1, 2024. Hard-coded credentials are static values written directly into firmware images or binaries. They cannot be rotated by administrators and are identical across deployed units of the same firmware build. An attacker who recovers the credential through firmware extraction, vendor documentation leaks, or reverse engineering can authenticate against every device running the affected firmware.
The device exposes services reachable over the network, and the credential grants access to functionality that returns sensitive information. The CWE-798 classification confirms the root cause is credential hard-coding rather than a protocol or memory safety defect. Because access control systems sit at the boundary of physical and logical security, exposure of authentication material, badge data, or configuration details can support follow-on attacks against the protected facility.
Root Cause
The firmware contains an authentication secret compiled into the device image. The credential is not generated per device, is not user-configurable, and is not derived from a unique hardware identifier. Any party who obtains a copy of the firmware or extracts the secret from one device can reuse it against every other deployment.
Attack Vector
Exploitation requires network reachability to the access control device. The attack vector is remote, the attack complexity is low, no privileges are required, and no user interaction is needed. An attacker on the same network segment, or with routed access to the management interface, can submit the hard-coded credential to authenticate and read sensitive data exposed by the device.
No verified public proof-of-concept code is available. The vulnerability mechanism is described in prose per the CISA ICS Advisory ICSA-24-263-05.
Detection Methods for CVE-2024-45861
Indicators of Compromise
- Successful authentication events on Kastle access control devices from IP addresses outside expected administrative ranges
- Unexpected configuration reads, credential dumps, or bulk data retrieval from access control management interfaces
- Network connections to Kastle devices originating from non-administrative VLANs or external networks
Detection Strategies
- Inventory all Kastle access control firmware versions and flag any device on firmware predating May 1, 2024
- Monitor authentication logs on access control devices for logins that do not correlate with named administrator activity
- Alert on management protocol traffic to Kastle devices originating from segments that should not reach physical security infrastructure
Monitoring Recommendations
- Forward access control device logs to a centralized SIEM and retain authentication events for incident review
- Baseline normal administrative access patterns and trigger on deviations such as off-hours logins or new source addresses
- Correlate physical access control telemetry with network identity data to identify reuse of the hard-coded credential
How to Mitigate CVE-2024-45861
Immediate Actions Required
- Identify every Kastle access control device on the network and confirm firmware release date relative to May 1, 2024
- Restrict network reachability to access control management interfaces to a dedicated administrative VLAN
- Contact Kastle Systems to confirm firmware status and obtain updated images for affected units
- Review access control device logs for evidence of unauthorized authentication or data retrieval
Patch Information
Kastle Systems addressed the issue in firmware released on or after May 1, 2024. Operators should coordinate with Kastle to deploy the updated firmware on all affected access control devices. Refer to CISA ICS Advisory ICSA-24-263-05 for vendor-coordinated remediation guidance.
Workarounds
- Isolate Kastle access control devices on a segmented network unreachable from general user, guest, or internet-facing segments
- Enforce firewall rules that permit management traffic only from designated administrator workstations
- Disable or restrict any network services on the device that are not required for operational use
- Increase monitoring of physical access control infrastructure until patched firmware is deployed
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
