CVE-2024-47256 2N CVE debrief

Who should care

Organizations using 2N Access Commander for physical access control management, particularly those maintaining backups of system configurations. Security teams responsible for industrial control systems and building access management infrastructure should prioritize patching. Administrators with backup retention policies spanning multiple versions should assess exposure of historical backup data.

Technical summary

In 2N Access Commander versions 1.14 and prior, AES encryption passphrases are hardcoded within the application. An attacker with administrative access privileges can read these passphrases and use them to decrypt data contained within backup files. The vulnerability requires local access and high privileges, limiting exposure but creating significant impact for confidentiality and integrity of backed-up system data. The CVSS 3.1 score of 6.0 reflects this attack vector and privilege requirement.

Defensive priority

medium

Recommended defensive actions

• Upgrade 2N Access Commander to version 3.3 or later from the 2N download center
• Review and rotate any credentials or keys that may have been exposed in backup files from affected versions
• Restrict administrative access to Access Commander systems to authorized personnel only
• Audit backup file storage locations and ensure encryption at rest for backup archives
• Monitor for unauthorized access attempts to Access Commander administrative interfaces

Evidence notes

CISA ICS advisory ICSA-24-319-17 (Update A) documents this vulnerability with CVSS 3.1 vector AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N. The advisory confirms administrative access is required for exploitation and that hardcoded AES passphrases in backup files are the exposure vector. Vendor fix version 3.3 was released to address this issue.

Official resources