CVE-2024-32387

Cybersicherheitsschild. Konzept für Cyberbedrohungen

Predictable SNMP Community String in KerOS 4.3.3 and Below

Predictable SNMP Community String in KerOS 4.3.3 and Below

Predictable SNMP Community String in KerOS 4.3.3 and Below

CVE ID
CVE-2024-32387
CVE Link
https://nvd.nist.gov/vuln/detail/CVE-2024-32387
Vendor
Kerlink
Affected Product & Version
KerOS ≤ 4.3.3
Vulnerability Type
CWE-330 – Use of Insufficiently Random Values
CVSS Base Score / CVSS Vector

NVD: Awaiting analysis

BDO: 5.7 Medium / CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Author
Martin Weißbach
Date
2026-05-27

CVE Details

Description:

The SNMP implementation in KerOS 4.3.3 and below uses a predictable SNMP community string derived from hardware-dependent information. In combination with an additional information disclosure vulnerability, an attacker may recover the community string with a low number of brute-force attempts.

Remediation:

KerOS4 and KerOS5 should no longer be used, as they are considered end of life. Instead, the most recent version of KerOS 6 should be used.

References:


Timeline

2024-03-19: Vulnerability reported to Kerlink

2024-03-23: Kerlink informed us that the issues were under analysis

2024-03-29: Vendor confirmed the vulnerabilities and provided an update on the current status of the analysis, including potential fixes

2024-04-08: We provided feedback on the fixes

2024-04-28: Vendor provided an update on the status of the fixes

2024-06-11: We reported additional vulnerabilities; ongoing communication regarding these issues

2025-08-05: We informed Kerlink of our intention to release the CVEs

2025-09-06: Vendor informed us that KerOS4 is EOL, KerOS will only be maintained for critical vulnerabilities tills end of 2025 and that this vulnerability does not affect KerOS6

2026-04-01: Coordinated public disclosure of this CVE was agreed upon with the vendor

2026-05-27: CVE published