// For flags

CVE-2024-50593

Hardcoded Service Password

Severity Score

7.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Attend
*SSVC
Descriptions

An attacker with local access to the medical office computer can
access restricted functions of the Elefant Service tool by using a
hard-coded "Hotline" password in the Elefant service binary, which is shipped with the software.

Un atacante con acceso local a el ordenador del consultorio médico puede acceder a funciones restringidas de la herramienta de servicio Elefant mediante el uso de una contraseña de "línea directa" codificada en el binario del servicio Elefant, que se envía con el software.

HASOMED Elefant versions prior to 24.04.00 and Elefant Software Updater versions prior to 1.4.2.1811 suffer from having an unprotected exposed firebird database, unprotected FHIR API, multiple local privilege escalation, and hardcoded service password vulnerabilities.

*Credits: Tobias Niemann, SEC Consult Vulnerability Lab, Daniel Hirschberger, SEC Consult Vulnerability Lab, Florian Stuhlmann, SEC Consult Vulnerability Lab
CVSS Scores
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
* Common Vulnerability Scoring System
SSVC
  • Decision:Attend
Exploitation
Poc
Automatable
No
Tech. Impact
Total
* Organization's Worst-case Scenario
Timeline
  • 2024-10-25 CVE Reserved
  • 2024-11-08 CVE Published
  • 2024-11-08 CVE Updated
  • 2024-11-09 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-798: Use of Hard-coded Credentials
CAPEC
  • CAPEC-191: Read Sensitive Constants Within an Executable
References (2)
URL Tag Source
https://r.sec-consult.com/hasomed Third Party Advisory
URL Date SRC
URL Date SRC
https://hasomed.de/produkte/elefant 2024-11-08
URL Date SRC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
---- -