CVE-2024-23922

Sony XAV-AX5500 Insufficient Firmware Update Validation Remote Code Execution Vulnerability

CVSS 6.8 MEDIUMEPSS 1.7%CWE-345

In short

The Sony XAV-AX5500 car head unit does not properly verify firmware updates, allowing an attacker with physical access to install malicious code and take control of the device without needing a password.

Technical detail

The vulnerability exists in the firmware update mechanism due to insufficient validation of update packages (CWE-345). An attacker with physical access can exploit this to execute arbitrary code with device privileges; no authentication is required, making it exploitable during the update process.

Summary generated and translated by AI from the official description.

Sony XAV-AX5500 Insufficient Firmware Update Validation Remote Code Execution Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Sony XAV-AX5500 devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of software updates. The issue results from the lack of proper validation of software update packages. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-22939

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

Sony · XAV-AX5500

public PoCs found — 1

exploitdbwww.exploit-db.com/exploits/52143unverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://www.sony.com/electronics/support/mobile-cd-players-digital-media-players-xav-series/xav-ax5500/software/00274156 https://www.zerodayinitiative.com/advisories/ZDI-24-874/