CVE-2024-37654 is a vulnerability identified in a broad range of BAS-IP intercom and access control devices, including models AV-01D through BA-12MD and CR-02BD, affecting firmware versions before 3.9.2. The flaw allows a remote attacker to extract sensitive information by crafting a specific HTTP GET request to the device's web interface or API endpoints. The vulnerability stems from improper access control or insufficient validation of HTTP requests (CWE-922), enabling unauthorized information disclosure. The CVSS 3.1 base score is 6.1, reflecting a medium severity level, with attack vector local (AV:L), low attack complexity (AC:L), no privileges required (PR:N), and user interaction required (UI:R). The scope is unchanged (S:U), with high confidentiality impact (C:H), low integrity impact (I:L), and no availability impact (A:N). This suggests that while the attacker cannot modify or disrupt device operation, they can gain access to sensitive data, potentially including configuration details, user credentials, or network information. No public exploits have been reported yet, but the vulnerability's presence in widely deployed BAS-IP devices used in physical security systems makes it a concern. The lack of a patch link indicates that users should verify firmware updates from the vendor and apply version 3.9.2 or later to remediate the issue.

The primary impact of CVE-2024-37654 is unauthorized disclosure of sensitive information from BAS-IP intercom and access control devices. This can lead to exposure of configuration settings, user credentials, or network topology details, which attackers could leverage for further attacks such as lateral movement, privilege escalation, or physical security bypass. Organizations relying on these devices for building access control, visitor management, or security monitoring may face increased risk of targeted intrusions or espionage. Although the vulnerability does not directly affect device integrity or availability, the confidentiality breach can undermine trust in security controls and lead to compliance violations, especially in regulated industries. The requirement for user interaction and local network access somewhat limits remote exploitation, but insider threats or compromised internal hosts could exploit this vulnerability. The absence of known exploits reduces immediate risk but does not preclude future attacks. Overall, the vulnerability poses a moderate risk to organizations with BAS-IP deployments, particularly in sectors such as government, critical infrastructure, corporate campuses, and residential complexes.

To mitigate CVE-2024-37654, organizations should immediately verify and apply firmware updates from BAS-IP, ensuring devices run version 3.9.2 or later where the vulnerability is addressed. Network segmentation should be enforced to isolate BAS-IP devices from untrusted networks and restrict access to management interfaces to authorized personnel only. Implement strict firewall rules to limit HTTP access to these devices, preferably allowing only trusted IP addresses. Employ network monitoring and intrusion detection systems to identify anomalous HTTP GET requests targeting BAS-IP devices. Disable or restrict remote management features if not required, and enforce strong authentication mechanisms for device access. Regularly audit device configurations and logs for signs of unauthorized access attempts. Additionally, educate staff about the risks of interacting with suspicious links or requests that could trigger exploitation. If vendor patches are delayed, consider temporary compensating controls such as web application firewalls with custom rules to block malicious request patterns targeting the vulnerability.