CVE-2024-50595 identifies an integer underflow vulnerability (CWE-191) in the HTTP server PUT request functionality of the STMicroelectronics X-CUBE-AZRTOS-WL 2.0.0 software package, specifically within the NetX Duo Component HTTP Server implementation (file nxd_http_server.c). The vulnerability arises due to improper handling of integer values during processing of PUT requests, where a specially crafted sequence of network packets can cause an integer underflow (wraparound). This underflow can lead to memory corruption or logic errors that result in denial of service (DoS) conditions, such as crashing the HTTP server or causing it to become unresponsive. The flaw requires an attacker to have network access and low privileges (PR:L), but no user interaction is necessary (UI:N). The vulnerability affects version 1.0.0 of the X-CUBE-AZRT-H7RS middleware, which is used in embedded systems leveraging STMicroelectronics’ real-time operating system and networking stacks. Although no public exploits are known, the vulnerability could be leveraged in targeted attacks to disrupt availability of critical IoT or industrial control devices that rely on this middleware. The CVSS v3.1 base score is 4.3, reflecting a medium severity primarily due to its impact on availability without affecting confidentiality or integrity. The vulnerability was published on April 2, 2025, and no patches or mitigations have been officially released at the time of this report.

The primary impact of CVE-2024-50595 is denial of service, which can disrupt the availability of embedded devices running STMicroelectronics X-CUBE-AZRTOS-WL 2.0.0 with the vulnerable NetX Duo HTTP server. For European organizations, this could affect industrial automation systems, IoT devices, and critical infrastructure components that use this middleware, potentially leading to operational downtime, loss of productivity, or safety risks if control systems become unresponsive. Although the vulnerability does not compromise data confidentiality or integrity, the loss of service could have cascading effects in environments where continuous device availability is critical. The medium severity rating reflects that exploitation requires network access and low privileges but no user interaction, making it feasible for attackers with internal network presence or access to exposed devices. The lack of known exploits reduces immediate risk, but the potential for targeted disruption in sectors such as manufacturing, energy, or transportation is notable.

European organizations should first identify any embedded systems or IoT devices using STMicroelectronics X-CUBE-AZRTOS-WL 2.0.0 or specifically the X-CUBE-AZRT-H7RS middleware. Network segmentation and strict access controls should be implemented to limit exposure of vulnerable devices to untrusted networks. Monitoring network traffic for unusual PUT request patterns targeting HTTP servers on these devices can help detect exploitation attempts. Since no official patches are currently available, organizations should engage with STMicroelectronics for updates or workarounds. Where feasible, disabling or restricting HTTP PUT functionality on affected devices can reduce attack surface. Additionally, implementing rate limiting and anomaly detection on network interfaces can mitigate the risk of denial of service. Finally, incorporating these devices into vulnerability management and incident response plans will improve preparedness against exploitation attempts.