CVE-2024-29837: 
CS Technologies Evolution vulnerability analysis and mitigation

The Evolution Controller Versions 2.04.560.31.03.2024 and below contains a critical security vulnerability related to poor session management in its web interface. This vulnerability (CVE-2024-29837) allows an unauthenticated attacker to access administrator functionality if any other user is already signed in. The vulnerability was discovered and reported in April 2024, affecting the web interface component of Evolution Controller, a physical access control system developed by CS Technologies (DirectCyber Advisory).

The vulnerability stems from improper session management implementation in the web interface. It has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector string AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating network accessibility, low attack complexity, no privileges required, and user interaction required. The vulnerability has been classified under CWE-284 (Improper Access Control) and CWE-1390 (Weak Authentication) (DirectCyber Advisory).

The exploitation of this vulnerability could allow unauthorized access to administrator functionality, potentially enabling attackers to control physical access systems, modify user permissions, and access sensitive information. The high severity rating indicates that successful exploitation could lead to a complete compromise of system confidentiality, integrity, and availability (DirectCyber Advisory).

As there is currently no patch available from the vendor, the following workarounds are recommended: Remove the Evolution Controller from internet exposure and place it behind a separate network, change default passwords to strong alternatives, and as a last resort, consider disabling the web interface completely. These measures should be implemented immediately to reduce the risk of exploitation (DirectCyber Advisory).

The vendor, CS Technologies, has not responded to multiple disclosure attempts over a 90-day period, leading to the public disclosure of this vulnerability. DirectCyber has also attempted to contact CS Technologies prior to publication without success (DirectCyber Advisory).