CVE-2024-50594 is an integer underflow vulnerability classified under CWE-191 found in the HTTP server PUT request functionality of the STMicroelectronics X-CUBE-AZRTOS-WL 2.0.0 middleware, specifically within the NetX Duo Web Component HTTP Server implementation (nx_web_http_server.c). The vulnerability arises when processing a specially crafted sequence of network requests that cause an integer underflow, leading to wraparound behavior in internal calculations. This underflow can cause the HTTP server to malfunction, resulting in a denial of service (DoS) condition where the affected device or service becomes unresponsive or crashes. The vulnerability is exploitable remotely over the network without requiring user interaction, but it does require low-level privileges (PR:L) on the network, indicating that the attacker must have network access to the device. The CVSS 3.1 base score is 4.3, indicating medium severity, with the impact limited to availability (no confidentiality or integrity impact). The affected product, X-CUBE-AZRT-H7RS version 1.0.0, is a middleware package used in embedded systems based on STMicroelectronics microcontrollers, commonly deployed in IoT and industrial control environments. No public exploits or patches are currently available, increasing the importance of proactive monitoring and mitigation. The vulnerability's root cause is a failure to properly validate or handle integer values during HTTP PUT request processing, which can be triggered by sending a sequence of maliciously crafted packets to the device's HTTP server component.

The primary impact of CVE-2024-50594 is denial of service, which can disrupt the availability of embedded devices running the affected STMicroelectronics middleware. For European organizations, especially those in industrial automation, automotive manufacturing, and IoT sectors that rely on STMicroelectronics microcontrollers and middleware, this vulnerability could cause operational downtime, impacting production lines, critical infrastructure, or connected devices. While the vulnerability does not compromise confidentiality or integrity, the loss of availability can lead to significant operational and financial consequences, including halted manufacturing processes, safety system failures, or service interruptions. The medium CVSS score reflects moderate risk, but the impact could be amplified in environments where uptime is critical. Since no known exploits exist yet, the threat is currently theoretical but should be addressed proactively. The vulnerability could also be leveraged as part of a larger attack chain to cause disruption or distract from other malicious activities.

1. Monitor network traffic to devices running STMicroelectronics X-CUBE-AZRTOS-WL middleware for unusual or repeated HTTP PUT requests that could indicate exploitation attempts. 2. Restrict network access to embedded devices hosting the vulnerable HTTP server by implementing network segmentation and firewall rules to limit exposure only to trusted management networks. 3. Employ intrusion detection/prevention systems (IDS/IPS) with signatures or heuristics capable of detecting anomalous HTTP PUT request patterns targeting embedded devices. 4. Engage with STMicroelectronics for updates or patches addressing this vulnerability and plan timely deployment once available. 5. Where possible, disable or limit HTTP server functionality on embedded devices if not required for operation. 6. Conduct regular firmware and middleware audits to identify devices running the affected version (1.0.0) and prioritize remediation. 7. Implement robust device authentication and network access controls to reduce the risk of unauthorized network access to vulnerable devices. 8. Prepare incident response plans that include procedures for handling denial of service events affecting embedded systems.