CVE-2024-35061 is a vulnerability identified in NASA AIT-Core version 2.5.2, where the software transmits data over unencrypted network channels. This insecure communication channel allows attackers positioned on the network path to perform man-in-the-middle (MitM) attacks, intercepting and potentially altering data in transit. The vulnerability is categorized under CWE-311, indicating the lack of encryption or integrity protection in network communications. While this vulnerability alone compromises confidentiality, integrity, and availability to some extent, its criticality is amplified when chained with CVE-2024-35059, which enables unauthenticated, fully remote code execution. This chaining allows attackers to execute arbitrary code remotely without any authentication, posing a severe threat to affected systems. The CVSS v3.1 base score of 7.3 reflects a high severity level, with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and partial impact on confidentiality, integrity, and availability (C:L/I:L/A:L). No patches or fixes have been published yet, and no known exploits have been observed in the wild. The vulnerability's presence in NASA AIT-Core, a tool likely used in aerospace and research environments, raises concerns about the security of sensitive data and operational integrity in these sectors.

The impact of CVE-2024-35061 is significant for organizations using NASA AIT-Core, particularly in aerospace, research, and governmental sectors. The unencrypted communication channel exposes sensitive data to interception and manipulation, risking confidentiality breaches and data tampering. The potential for man-in-the-middle attacks can disrupt operations by altering commands or data streams, affecting system availability and integrity. When combined with CVE-2024-35059, the threat escalates to unauthenticated remote code execution, allowing attackers to gain full control over affected systems without credentials or user interaction. This could lead to unauthorized access, data exfiltration, sabotage of critical systems, and further lateral movement within networks. The absence of patches increases exposure time, making timely mitigation essential. The vulnerability could undermine trust in NASA-related software and impact international collaborations relying on secure data exchange.

To mitigate CVE-2024-35061, organizations should immediately assess their deployment of NASA AIT-Core v2.5.2 and identify any network segments where unencrypted communication occurs. Implement network-level encryption such as VPNs or TLS tunnels to protect data in transit until official patches are released. Employ network segmentation and strict access controls to limit exposure of vulnerable systems to untrusted networks. Monitor network traffic for signs of MitM attacks or unusual activity indicative of exploitation attempts. If possible, disable or restrict the use of NASA AIT-Core components that rely on unencrypted channels. Coordinate with NASA or software vendors for updates or patches and apply them promptly once available. Additionally, prepare incident response plans to address potential exploitation scenarios, including remote code execution chaining. Conduct security awareness training for personnel managing these systems to recognize and report suspicious network behavior.