Bitdefender reports critical flaws in Bitdefender BOX v1 Devices
Take action: If you are running Bitdefender BOX v1, be aware it's very much vulnerable and no longer supported. Bitdefender has issued a one time patch for one of the flaws, so make sure you update to the latest version 1.3.11.510. But then plan to replace the device, since there will be other flaws and hackers love devices which don't receive patches.
Learn More
Bitdefender has disclosed two critical security vulnerabilities affecting its legacy BOX v1 device, potentially exposing users to serious network security risks. These vulnerabilities were published on March 12th, 2025, affecting a product that is no longer sold or supported by the company.
Vulnerability summary
- CVE-2024-13871 (CVSS score 9.4) - An unauthenticated command injection vulnerability in the /check_image_and_trigger_recovery API endpoint of Bitdefender BOX v1 running firmware version 1.3.11.490. This allows network-adjacent attackers to execute arbitrary commands without authentication, potentially leading to remote code execution.
- CVE-2024-13872 (CVSS score 9.4) - An insecure update mechanism vulnerability in versions 1.3.11.490 through 1.3.11.505, where the device uses unencrypted HTTP protocol to download updates. The vulnerability can be triggered through the /set_temp_token API method, enabling man-in-the-middle attacks that could inject malicious code executed with system privileges when daemons restart.
These vulnerabilities affect a device specifically designed to enhance network security. When security appliances themselves become attack vectors, the consequences can be far more severe than vulnerabilities in standard consumer electronics.
Network security devices typically have privileged access to traffic and connected devices, making them high-value targets for sophisticated threat actors seeking to compromise multiple systems simultaneously.
The potential impact includes full system compromise, with attackers gaining the ability to modify system configurations, access sensitive information, or use the device as a launching point for further network intrusions.
For the first vulnerability (CVE-2024-13871), an automatic update to version 1.3.11.510 fixes the issue. No details are provided for the second vulnerability. Since, as this product is no longer sold or supported by Bitdefender, users of the affected BOX v1 devices should consider migrating to supported security solutions.
