CVE-2024-42483

Public Exploit
ESP-NOW Replay Attacks Vulnerability

Description

ESP-NOW Component provides a connectionless Wi-Fi communication protocol. An replay attacks vulnerability was discovered in the implementation of the ESP-NOW because the caches is not differentiated by message types, it is a single, shared resource for all kinds of messages, whether they are broadcast or unicast, and regardless of whether they are ciphertext or plaintext. This can result an attacker to clear the cache of its legitimate entries, there by creating an opportunity to re-inject previously captured packets. This vulnerability is fixed in 2.5.2.

Categories

6.5
CVSS
Severity: Medium
CVSS 3.1 •
EPSS 0.02%
Third-Party Advisory github.com
Affected: espressif esp-now
Published at:
Updated at:

References

Link Tags
https://github.com/espressif/esp-now/security/advisories/GHSA-wf6q-c2xr-77xj third party advisory exploit
https://github.com/espressif/esp-now/commit/4e30db50d541b2909d278ef0db05de1a3d7190ef patch

Frequently Asked Questions

What is the severity of CVE-2024-42483?
CVE-2024-42483 has been scored as a medium severity vulnerability.
How to fix CVE-2024-42483?
To fix CVE-2024-42483, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2024-42483 being actively exploited in the wild?
It is possible that CVE-2024-42483 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-42483?
CVE-2024-42483 affects espressif esp-now.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.