PatchSiren cyber security CVE debrief
CVE-2024-4978 Justice AV Solutions CVE debrief
CVE-2024-4978 is a Justice AV Solutions (JAVS) Viewer vulnerability involving embedded malicious code in the installer. CISA lists it in the Known Exploited Vulnerabilities catalog, which makes it a high-priority issue for defenders even though no CVSS score is provided in the supplied record. Organizations using JAVS Viewer should treat this as an urgent software-supply-chain-style exposure and follow vendor guidance immediately, or discontinue use if mitigation is not available. CISA’s KEV entry set a remediation due date of 2024-06-19.
- Vendor
- Justice AV Solutions
- Product
- Viewer
- CVSS
- Unknown
- CISA KEV
- Listed
- Original CVE published
- 2024-05-29
- Original CVE updated
- 2024-05-29
- Advisory published
- 2024-05-29
- Advisory updated
- 2024-05-29
Who should care
Organizations that deploy or have deployed Justice AV Solutions (JAVS) Viewer, especially IT, endpoint management, security operations, and procurement teams responsible for third-party software approval and software update validation.
Technical summary
The supplied record describes a JAVS Viewer installer containing embedded malicious code. CISA classifies the issue as known exploited, which indicates confirmed real-world abuse rather than a purely theoretical flaw. The available source data does not include a CVSS score, exploit chain specifics, or remediation mechanics beyond the vendor-directed instruction to apply mitigations or stop using the product if mitigations are unavailable.
Defensive priority
Critical. Because this is in CISA’s Known Exploited Vulnerabilities catalog and has an associated remediation due date, it should be prioritized ahead of routine patch work.
Recommended defensive actions
- Identify all installations of Justice AV Solutions (JAVS) Viewer across endpoints and managed software inventories.
- Follow vendor instructions for mitigation or removal; if mitigations are unavailable, discontinue use of the product.
- Block or quarantine any untrusted or suspect installer packages associated with the affected product in software distribution systems.
- Validate software provenance controls for third-party installers and re-check internal allowlists for JAVS Viewer.
- Track remediation against the CISA KEV due date of 2024-06-19 and confirm exposure is removed or mitigated.
- Monitor vendor and official vulnerability records for updated guidance or revised remediation steps.
Evidence notes
The supplied corpus identifies the vulnerability as 'Justice AV Solutions (JAVS) Viewer Installer Embedded Malicious Code Vulnerability,' marks it as a CISA KEV entry, and provides dateAdded 2024-05-29 with dueDate 2024-06-19. The source metadata says to apply mitigations per vendor instructions or discontinue use if mitigations are unavailable. The record also indicates known ransomware campaign use is unknown. No CVSS score is present in the supplied data.
Official resources
-
CVE-2024-4978 CVE record
CVE.org
-
CVE-2024-4978 NVD detail
NVD
-
CISA Known Exploited Vulnerabilities catalog
CISA - Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
-
Source item URL
cisa_kev
Publicly disclosed through the CISA Known Exploited Vulnerabilities catalog on 2024-05-29. This debrief is limited to defensive guidance and official-record context.