CVE-2024-47253 2N CVE debrief

Who should care

Organizations using 2N Access Commander for physical access control management, particularly those with internet-facing deployments or integrated into critical infrastructure environments. Security teams responsible for OT/ICS asset protection and vulnerability management programs should prioritize this patch.

Technical summary

The vulnerability exists in 2N Access Commander versions 3.1.1.2 and prior due to improper path validation, allowing an attacker with high privileges to traverse the filesystem and write arbitrary files. This can be leveraged to achieve arbitrary remote code execution on the affected system. The attack vector is network-based with low attack complexity, though it requires high privileges. The vulnerability does not require user interaction and has high impact on confidentiality, integrity, and availability.

Defensive priority

high

Recommended defensive actions

• Upgrade 2N Access Commander to version 3.3 or later from the 2N download center.
• Review and restrict network access to Access Commander management interfaces; deploy behind VPN or firewall rules limiting source IPs.
• Audit filesystem for unauthorized files or modifications if running affected versions prior to patching.
• Apply CISA ICS recommended practices for network segmentation and defense-in-depth for OT/ICS environments.
• Monitor for anomalous authentication attempts or privileged access to Access Commander administrative interfaces.

Evidence notes

CISA ICS advisory ICSA-24-319-17 (Update A) confirms the path traversal vulnerability in 2N Access Commander ≤3.1.1.2 with CVSS 3.1 vector AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. The advisory was initially published 2024-11-14 and modified 2025-02-11 to add new vulnerabilities, affected products, and updated mitigations. Vendor fix available: Access Commander version 3.3.

Official resources