Login Sign Up

CVE-2024-58337

4.3 MEDIUM

📋 TL;DR

The Akuvox Smart Intercom S539 has an improper access control vulnerability that allows users with 'User' privileges to modify API settings and configurations. This enables privilege escalation to administrative access. Organizations using the Akuvox Smart Intercom S539 are affected.

💻 Affected Systems

Products:
  • Akuvox Smart Intercom S539
Versions: All versions prior to patch
Operating Systems: Embedded Linux
Default Config Vulnerable: ⚠️ Yes
Notes: Affects systems with default privilege configurations where 'User' accounts have access to API endpoints.

📦 What is this software?

C313w 2 Firmware by Akuvox

View all CVEs affecting C313w 2 Firmware →

E16c Firmware by Akuvox

View all CVEs affecting E16c Firmware →

Nc 2 Firmware by Akuvox

View all CVEs affecting Nc 2 Firmware →

Ns 2 Firmware by Akuvox

View all CVEs affecting Ns 2 Firmware →

Nx 2 Firmware by Akuvox

View all CVEs affecting Nx 2 Firmware →

R20a 2 Firmware by Akuvox

View all CVEs affecting R20a 2 Firmware →

R20k 2 Firmware by Akuvox

View all CVEs affecting R20k 2 Firmware →

R29 Firmware by Akuvox

View all CVEs affecting R29 Firmware →

S532 Firmware by Akuvox

View all CVEs affecting S532 Firmware →

S539 Firmware by Akuvox

View all CVEs affecting S539 Firmware →

X912 Firmware by Akuvox

View all CVEs affecting X912 Firmware →

X915 Firmware by Akuvox

View all CVEs affecting X915 Firmware →

X916 Firmware by Akuvox

View all CVEs affecting X916 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain full administrative control over the intercom system, potentially compromising building security systems, accessing video feeds, and manipulating access controls.

🟠

Likely Case

Unauthorized users escalate privileges to admin level, modify system configurations, and potentially disable security features.

🟢

If Mitigated

With proper network segmentation and access controls, impact is limited to the intercom system itself without lateral movement.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires valid user credentials but is straightforward once authenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: No

Instructions:

1. Monitor Akuvox security advisories for patch availability. 2. Apply patch when released. 3. Verify privilege separation after patching.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate intercom systems from critical networks and limit access to authorized IPs only.

Access Control Review

all

Audit and restrict user privileges to minimum necessary access.

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate intercom systems
  • Monitor API access logs for unauthorized configuration changes

🔍 How to Verify

Check if Vulnerable:

Test if a user account can access /services/http/api endpoints intended for administrators.

Check Version:

Check device web interface or console for firmware version

Verify Fix Applied:

Verify that user accounts can no longer modify API settings or configurations.

📡 Detection & Monitoring

Log Indicators:

  • Unauthorized API configuration changes from user accounts
  • Multiple privilege escalation attempts

Network Indicators:

  • Unusual API calls to administrative endpoints from non-admin IPs

SIEM Query:

source="akuvox_intercom" AND (event_type="config_change" OR api_endpoint="/services/http/api/*") AND user_role="user"

📊 Metadata

CVE ID: CVE-2024-58337
CVSS v3 Score: 4.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CWE: CWE-862
EPSS Score: 0.04% exploit probability (9.8th percentile)
Published: December 30, 2025
Last Updated: January 16, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-58337, you might also want to check these:

CVE-2024-6071 10.0

CVE-2024-6071 is a critical remote code execution vulnerability in PTC Creo Elements/Direct License ...

Same vulnerability type (CWE-862)
CVE-2022-0543 10.0

CVE-2022-0543 is a critical Lua sandbox escape vulnerability in Redis on Debian-based systems that a...

Same vulnerability type (CWE-862)
CVE-2024-6500 10.0

This vulnerability allows unauthenticated attackers to read and delete arbitrary files on WordPress ...

Same vulnerability type (CWE-862)