CVE-2024-8892

Uncontrolled Resource Consumption vulnerability on CIRCUTOR TCP2RS+

Description

Vulnerability in CIRCUTOR TCP2RS+ firmware version 1.3b, which could allow an attacker to modify any configuration value, even if the device has the user/password authentication option enabled, without authentication by sending packets through the UDP protocol and port 2000, deconfiguring the device and thus disabling its use. This equipment is at the end of its useful life cycle.

Remediation

Solution:

  • CIRCUTOR TCP2RS+ device firmware version 1.3.b (2017), presents 2 security vulnerabilities exploitable mainly in public communication networks, especially in networks not adequately protected. CIRCUTOR strongly recommends replacing the TCP2RS+ device with the current Line-TCPRS1, both in private and public network environments.

Category

5.3
CVSS
Severity: Medium
CVSS 3.1 •
EPSS 0.08%
Third-Party Advisory incibe.es
Affected: CIRCUTOR CIRCUTOR TCP2RS+
Published at:
Updated at:

References

Link Tags
https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-circutor-products third party advisory

Frequently Asked Questions

What is the severity of CVE-2024-8892?
CVE-2024-8892 has been scored as a medium severity vulnerability.
How to fix CVE-2024-8892?
To fix CVE-2024-8892: CIRCUTOR TCP2RS+ device firmware version 1.3.b (2017), presents 2 security vulnerabilities exploitable mainly in public communication networks, especially in networks not adequately protected. CIRCUTOR strongly recommends replacing the TCP2RS+ device with the current Line-TCPRS1, both in private and public network environments.
Is CVE-2024-8892 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2024-8892 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-8892?
CVE-2024-8892 affects CIRCUTOR CIRCUTOR TCP2RS+.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.