PatchSiren cyber security CVE debrief
CVE-2024-42495 Hughes Network Systems CVE debrief
CVE-2024-42495 (CVSS 6.5, Medium) describes a cleartext credential transmission vulnerability in Hughes Network Systems WL3000 Fusion Software, published 2024-09-05. Device configuration credentials were transmitted via an unencrypted protocol, enabling read-only access to network and terminal configuration data for attackers with adjacent network access. The attack vector is adjacent (AV:A), requires no privileges or user interaction (PR:N/UI:N), and results in high confidentiality impact (C:H) with no integrity or availability impact. Hughes Network Systems has patched this vulnerability; no user action is required. Organizations should contact Hughes customer support with any questions.
- Vendor
- Hughes Network Systems
- Product
- WL3000 Fusion Software
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-09-05
- Original CVE updated
- 2024-09-05
- Advisory published
- 2024-09-05
- Advisory updated
- 2024-09-05
Who should care
Satellite network operators, critical infrastructure providers using Hughes satellite terminals, ICS/SCADA security teams, and organizations with remote site connectivity via Hughes WL3000 systems.
Technical summary
The WL3000 Fusion Software transmitted device configuration credentials without encryption. An attacker with adjacent network access could intercept these credentials, gaining read-only access to network configuration and terminal configuration data. The vulnerability does not permit modification of configuration or disruption of service. Hughes Network Systems has deployed patches automatically; affected systems should be running version 2.7.0.10 or later.
Defensive priority
medium
Recommended defensive actions
- Contact Hughes Network Systems customer support if questions remain about patch deployment status for WL3000 Fusion Software.
- Verify WL3000 Fusion Software is running version 2.7.0.10 or later.
- Segment satellite terminal management networks from untrusted or guest networks to limit adjacent attack vectors.
- Monitor network traffic for unencrypted credential exchanges on management interfaces.
- Apply CISA ICS recommended practices for defense-in-depth strategies in satellite/SCADA environments.
Evidence notes
CISA ICS Advisory ICSA-24-249-01 confirms Hughes Network Systems patched the vulnerability with no user action required. CVSS 3.1 vector AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N indicates adjacent network access is required.
Official resources
-
CVE-2024-42495 CVE record
CVE.org
-
CVE-2024-42495 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-09-05