CVE-2024-28275 identifies a security vulnerability in the 360Eyes Pro software version 3.9.5.16 developed by Puwell Cloud Tech Co, Ltd. The core issue is the transmission of sensitive information, such as user credentials and password change requests, in cleartext over the network. This lack of encryption means that any attacker with network access can intercept these communications and extract confidential data. The vulnerability is categorized under CWE-319, which pertains to cleartext transmission of sensitive information. The CVSS 3.1 base score is 6.5, reflecting a medium severity, with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), but requiring user interaction (UI:R). The scope is unchanged (S:U), and the impact is high on confidentiality (C:H), with no impact on integrity or availability. No patches or fixes are currently linked, and no known exploits have been reported in the wild. The vulnerability poses a significant risk to users' privacy and security, especially in environments where network traffic can be monitored or intercepted, such as public or unsecured Wi-Fi networks. The software’s failure to encrypt sensitive data in transit violates best practices for secure communications and exposes users to credential theft and unauthorized access. Organizations relying on 360Eyes Pro should be aware of this risk and take immediate steps to protect their data.

The primary impact of CVE-2024-28275 is the compromise of confidentiality due to interception of sensitive information transmitted in cleartext. Attackers can capture user credentials and password change requests, potentially leading to unauthorized access to user accounts and systems. This can result in account takeover, privacy violations, and further exploitation within the affected network or connected systems. Since the vulnerability does not affect integrity or availability, the immediate operational disruption is limited; however, the breach of sensitive data can have cascading effects, including reputational damage, regulatory penalties, and loss of user trust. Organizations using 360Eyes Pro in sectors such as surveillance, security monitoring, or cloud-based services are particularly vulnerable. The ease of exploitation (no privileges required and low complexity) combined with the network attack vector increases the risk, especially in environments where attackers can sniff network traffic. The lack of known exploits in the wild suggests limited current exploitation but does not diminish the potential future risk if attackers develop tools targeting this vulnerability.

To mitigate CVE-2024-28275, organizations should first verify if they are using the affected version (v3.9.5.16) of 360Eyes Pro and restrict its use in sensitive environments until a patch is available. Immediate steps include enforcing encrypted communication channels such as VPNs or TLS tunnels to protect data in transit. Network segmentation and monitoring should be implemented to detect unusual traffic patterns indicative of interception attempts. Users should be educated to avoid using the software over unsecured or public networks. Where possible, multi-factor authentication (MFA) should be enabled to reduce the impact of credential compromise. Organizations should engage with Puwell Cloud Tech Co to obtain updates or patches and apply them promptly once released. Additionally, conducting regular security audits and penetration testing can help identify and remediate similar weaknesses. Logging and alerting on password change requests and authentication attempts can provide early warning of exploitation attempts. Finally, consider alternative software solutions with robust encryption practices if immediate patching is not feasible.