PatchSiren cyber security CVE debrief
CVE-2024-10456 Delta Electronics CVE debrief
Delta Electronics InfraSuite Device Master versions prior to 1.0.12 contain a critical deserialization vulnerability in the Device-Gateway component. The flaw allows unauthenticated remote attackers to deserialize arbitrary .NET objects, leading to remote code execution. This vulnerability is particularly severe as it requires no authentication and can be exploited remotely over the network. The vulnerability was disclosed by CISA on October 29, 2024, with a CVSS 3.1 score of 9.8 (Critical). Delta Electronics has addressed this issue in version 1.0.13, released in October 2024. Organizations using affected versions should prioritize updating to version 1.0.13 or later, as this vulnerability poses significant risk to industrial control system environments where InfraSuite Device Master is deployed for data center infrastructure management.
- Vendor
- Delta Electronics
- Product
- InfraSuite Device Master
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-10-29
- Original CVE updated
- 2024-10-29
- Advisory published
- 2024-10-29
- Advisory updated
- 2024-10-29
Who should care
Organizations operating Delta Electronics InfraSuite Device Master for data center infrastructure management, particularly in industrial control system and operational technology environments. Security teams responsible for OT/ICS asset protection and patch management should prioritize this vulnerability due to its unauthenticated remote exploitation capability and critical severity rating.
Technical summary
A deserialization vulnerability in the Device-Gateway component of Delta Electronics InfraSuite Device Master versions prior to 1.0.12 allows unauthenticated remote attackers to execute arbitrary code by deserializing malicious .NET objects. The vulnerability is network-accessible with no authentication required, resulting in CVSS 3.1 score of 9.8 (Critical). The affected product is used for data center infrastructure management. Delta Electronics released version 1.0.13 in October 2024 to address this vulnerability.
Defensive priority
critical
Recommended defensive actions
- Update Delta Electronics InfraSuite Device Master to version 1.0.13 or later immediately
- If immediate patching is not possible, restrict network access to the Device-Gateway component to authorized administrative hosts only
- Monitor for suspicious network traffic targeting the Device-Gateway service on affected systems
- Review system logs for indicators of compromise, particularly unexpected process execution or .NET assembly loading
- Apply network segmentation to isolate InfraSuite Device Master systems from untrusted networks
- Follow CISA ICS recommended practices for securing industrial control systems
Evidence notes
CISA ICS advisory ICSA-24-303-03 confirms the vulnerability affects InfraSuite Device Master versions prior to 1.0.12, with remote code execution possible via unauthenticated .NET deserialization in the Device-Gateway component. The advisory states Delta Electronics fixed this issue in version 1.0.13 released October 2024.
Official resources
-
CVE-2024-10456 CVE record
CVE.org
-
CVE-2024-10456 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-10-29