CVE-2024-50597 identifies an integer underflow vulnerability categorized under CWE-191 in the HTTP server PUT request functionality of STMicroelectronics' X-CUBE-AZRTOS-WL 2.0.0 middleware package. The flaw resides in the NetX Duo component's HTTP server implementation, specifically in the source file nxd_http_server.c. When processing a PUT request, the code improperly handles integer values, allowing a crafted network packet to cause an underflow condition. This underflow can lead to memory corruption or logic errors that result in denial of service by crashing or halting the HTTP server process. The vulnerability requires only network access and low privileges (PR:L), with no user interaction needed. The scope is unchanged (S:U), and the impact affects availability (A:L) but not confidentiality or integrity. The CVSS 3.1 base score is 4.3, reflecting medium severity. No public exploits or patches are currently available. The vulnerability primarily threatens embedded systems and IoT devices using STMicroelectronics' X-CUBE-AZRTOS-WL middleware, which is common in industrial, automotive, and consumer electronics sectors. Attackers could disrupt device availability remotely, potentially impacting critical infrastructure or services relying on these devices.

For European organizations, the primary impact is a potential denial of service on embedded or IoT devices running the vulnerable STMicroelectronics middleware. This could disrupt industrial automation systems, automotive control units, or smart devices, leading to operational downtime or degraded service availability. Critical sectors such as manufacturing, automotive, energy, and smart city infrastructure could face interruptions if these devices are exposed to untrusted networks. Although the vulnerability does not compromise data confidentiality or integrity, loss of availability in critical embedded systems can have cascading effects on production lines, safety systems, or service delivery. The medium CVSS score indicates moderate risk, but the actual impact depends on device deployment scale and network exposure. European organizations with extensive use of STMicroelectronics components in their supply chain or operational technology environments should prioritize risk assessments and monitoring.

1. Implement strict network segmentation and access controls to isolate vulnerable embedded devices from untrusted networks, reducing exposure to malicious packets. 2. Restrict network access to the HTTP server interface of devices running X-CUBE-AZRTOS-WL to trusted management networks only. 3. Monitor network traffic for anomalous PUT requests or malformed packets targeting the HTTP server. 4. Engage with STMicroelectronics for updates and apply patches or firmware updates as soon as they become available. 5. Where possible, disable or limit HTTP server functionality on embedded devices if not required. 6. Conduct thorough inventory and asset management to identify devices using the affected middleware version 1.0.0. 7. Employ intrusion detection/prevention systems (IDS/IPS) tuned to detect exploitation attempts of integer underflow vulnerabilities in embedded HTTP servers. 8. Develop incident response plans specific to embedded device DoS scenarios to minimize operational impact.