CVE-2024-25735 – This vulnerability allows remote attackers to r... (How to Fix)

Q: What is the severity of CVE-2024-25735?

CVE-2024-25735 has a CVSS score of 9.1 (CRITICAL). This vulnerability allows remote attackers to retrieve cleartext passwords from WyreStorm Apollo VX20 devices by sending a specific HTTP GET request to the SoftAP configuration endpoint. Attackers can gain administrative access to affected devices without authentication. Organizations using WyreStorm Apollo VX20 devices for AV/streaming applications are affected.

📋 TL;DR

This vulnerability allows remote attackers to retrieve cleartext passwords from WyreStorm Apollo VX20 devices by sending a specific HTTP GET request to the SoftAP configuration endpoint. Attackers can gain administrative access to affected devices without authentication. Organizations using WyreStorm Apollo VX20 devices for AV/streaming applications are affected.

💻 Affected Systems

Products:

WyreStorm Apollo VX20

Versions: All versions before 1.3.58

Operating Systems: Embedded Linux/device firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the SoftAP (Software Access Point) configuration interface. No special configuration required for exploitation.

📦 What is this software?

Apollo Vx20 Firmware by Wyrestorm

View all CVEs affecting Apollo Vx20 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise allowing attackers to reconfigure devices, intercept sensitive AV streams, pivot to internal networks, and establish persistent backdoors.

🟠

Likely Case

Attackers gain administrative access to devices, potentially disrupting AV operations, accessing connected systems, and stealing credentials for lateral movement.

🟢

If Mitigated

Limited to device configuration exposure if proper network segmentation and access controls prevent external exploitation.

🌐 Internet-Facing: HIGH - Devices exposed to internet can be directly exploited without authentication via simple HTTP request.

🏢 Internal Only: HIGH - Even internally, any attacker on the network can exploit this without credentials.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit requires simple HTTP GET request to /device/config endpoint. Public exploit code available in Packet Storm disclosures.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.3.58

Vendor Advisory: Not provided in references

Restart Required: Yes

Instructions:

1. Download firmware version 1.3.58 from WyreStorm support portal. 2. Access device web interface. 3. Navigate to System > Firmware Update. 4. Upload and apply the new firmware. 5. Reboot device after update completes.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate WyreStorm devices on separate VLAN with strict firewall rules preventing external access to device management interfaces.

Access Control Lists

all

Implement network ACLs to restrict access to device IP addresses on port 80/443 to authorized management stations only.

🧯 If You Can't Patch

Physically disconnect devices from networks with untrusted users
Change all device passwords after verifying no unauthorized access occurred

🔍 How to Verify

Check if Vulnerable:

Send HTTP GET request to http://[device_ip]/device/config and check if response contains cleartext passwords. Use curl: curl -X GET http://device_ip/device/config

Check Version:

Access device web interface > System > About to check firmware version, or use API endpoint if available.

Verify Fix Applied:

After updating to 1.3.58, same GET request should return encrypted/hashed passwords or access denied response.

📡 Detection & Monitoring

Log Indicators:

HTTP GET requests to /device/config endpoint from unauthorized IPs
Multiple failed login attempts followed by successful access

Network Indicators:

Unusual HTTP traffic to device management ports from unexpected sources
Traffic patterns suggesting configuration scraping

SIEM Query:

sourceIP=* destIP=[device_ip] destPort=80 OR destPort=443 uriPath="/device/config" method=GET

📊 Metadata

CVE ID: CVE-2024-25735

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-319

Published: March 27, 2024

Last Updated: November 4, 2025

🔗 References

http://packetstormsecurity.com/files/177082 Exploit,VDB Entry
https://hyp3rlinx.altervista.org Third Party Advisory
http://packetstormsecurity.com/files/177082 Exploit,VDB Entry
http://seclists.org/fulldisclosure/2024/Feb/11
https://hyp3rlinx.altervista.org Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-25735, you might also want to check these: