CVE-2024-4760 – This hardware vulnerability allows attackers to... (How to Fix)

Q: What is the severity of CVE-2024-4760?

CVE-2024-4760 has a CVSS score of 6.3 (MEDIUM). This hardware vulnerability allows attackers to bypass security protections on Microchip SAM microcontrollers by exploiting voltage glitches during startup. Attackers can access the memory bus via debug interfaces even when security bits are set, potentially extracting sensitive data or modifying firmware. Organizations using affected Microchip SAM microcontroller families in embedded systems are at risk.

📋 TL;DR

This hardware vulnerability allows attackers to bypass security protections on Microchip SAM microcontrollers by exploiting voltage glitches during startup. Attackers can access the memory bus via debug interfaces even when security bits are set, potentially extracting sensitive data or modifying firmware. Organizations using affected Microchip SAM microcontroller families in embedded systems are at risk.

💻 Affected Systems

Products:

Microchip SAM E70
SAM S70
SAM V70
SAM V71
SAM G55
SAM 4C
SAM 4S
SAM 4N
SAM 4E
SAM 3S
SAM 3N
SAM 3U

Versions: All versions of affected microcontroller families

Operating Systems: Embedded systems using affected microcontrollers

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability affects hardware security mechanisms, not software configurations.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of device security allowing extraction of encryption keys, firmware modification, and permanent device takeover.

🟠

Likely Case

Extraction of sensitive data from memory, firmware analysis, or intellectual property theft from embedded devices.

🟢

If Mitigated

Limited impact if devices are physically secured and debug interfaces are disabled in production.

🌐 Internet-Facing: LOW - This is primarily a physical access/local attack requiring hardware manipulation.

🏢 Internal Only: MEDIUM - Devices in physically accessible locations could be compromised by insiders or visitors.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires physical access to device and specialized hardware for voltage glitching. Public research demonstrates the attack technique.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: N/A

Vendor Advisory: https://ww1.microchip.com/downloads/aemDocuments/documents/MCU32/ProductDocuments/SupportingCollateral/Security-Advisory-CVE-2024-4760.pdf

Restart Required: No

Instructions:

No firmware patch available. Follow vendor mitigation guidance including disabling debug interfaces and implementing physical security controls.

🔧 Temporary Workarounds

Disable Debug Interfaces

all

Permanently disable debug interfaces (JTAG, SWD) in production devices using security fuses or configuration settings.

Consult microcontroller datasheet for specific fuse programming commands

Implement Voltage Monitoring

all

Add external voltage monitoring circuits to detect and respond to glitching attempts.

Hardware design modification - consult electrical engineering resources

🧯 If You Can't Patch

Implement strict physical security controls for devices containing sensitive data
Use additional software-based encryption for sensitive data stored in memory

🔍 How to Verify

Check if Vulnerable:

Check if your device uses affected Microchip SAM microcontroller families. Review device specifications and part numbers.

Check Version:

N/A - Hardware vulnerability affecting all versions

Verify Fix Applied:

Verify debug interfaces are disabled by attempting to connect via JTAG/SWD. Test with security analysis tools if available.

📡 Detection & Monitoring

Log Indicators:

Physical tampering indicators
Unexpected device resets or power anomalies

Network Indicators:

N/A - Primarily physical attack

SIEM Query:

N/A - Physical security monitoring required rather than network/SIEM detection

📊 Metadata

CVE ID: CVE-2024-4760

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:P/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-1247

Published: May 16, 2024

Last Updated: June 6, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON