CVE-2024-2420 LenelS2 CVE debrief

Who should care

Organizations using LenelS2 NetBox for physical access control and security event monitoring, particularly in critical infrastructure, commercial facilities, and enterprise environments. Security teams responsible for ICS/OT security, facility managers, and physical security administrators should prioritize this patch.

Technical summary

LenelS2 NetBox versions prior to 5.6.2 contain hard-coded credentials that allow attackers to bypass authentication requirements entirely. The vulnerability is remotely exploitable over the network without any user interaction or privileges. Successful exploitation grants attackers full administrative access to the access control and event monitoring system, compromising physical security operations. The CVSS 3.1 score of 9.8 reflects critical impact across confidentiality, integrity, and availability dimensions. Carrier released NetBox 5.6.2 as the definitive fix.

Defensive priority

critical

Recommended defensive actions

• Upgrade LenelS2 NetBox to version 5.6.2 by contacting your authorized installer.
• Follow the NetBox hardening guide available in the built-in help menu for secure deployment.
• Review and apply CISA's ICS recommended practices for industrial control system security.
• Monitor for unauthorized access attempts in NetBox audit logs.
• Restrict network access to NetBox management interfaces to authorized administrative hosts only.

Evidence notes

CISA published advisory ICSA-24-151-01 on May 30, 2024, confirming hard-coded credentials in NetBox versions ≤5.6.1. The advisory specifies that version 5.6.2 mitigates the vulnerability. CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H confirms network-based exploitation without authentication.

Official resources