CVE-2024-50929 is a vulnerability identified in Silicon Labs Z-Wave Series 700 and 800 controllers running firmware version 7.21.1. The root cause is insecure permissions that permit an attacker to arbitrarily change the device type information stored in the controller's memory. This device type information is critical for the controller to correctly manage and communicate with connected Z-Wave devices. By altering this data, an attacker can induce a Denial of Service (DoS) condition, effectively disrupting the controller's ability to operate normally within the Z-Wave network. The vulnerability is classified under CWE-281 (Improper Restriction of Operations within the Bounds of a Memory Buffer or Object), indicating improper access control. The CVSS v3.1 base score is 6.2, reflecting medium severity, with an attack vector of local access (AV:L), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), no impact on confidentiality or integrity (C:N/I:N), and high impact on availability (A:H). No patches or mitigations have been officially released as of the publication date, and no known exploits have been detected in the wild. This vulnerability primarily affects environments where an attacker can gain local access to the controller device, such as through physical access or compromised local networks.

The primary impact of CVE-2024-50929 is a Denial of Service condition on Z-Wave controllers using Silicon Labs Series 700 and 800 chips with vulnerable firmware. This can disrupt smart home or building automation systems relying on these controllers, potentially causing loss of control over connected devices such as lighting, security sensors, locks, and HVAC systems. While confidentiality and integrity are not directly affected, the availability impact can degrade operational continuity and user experience. Organizations deploying these controllers in critical environments may face operational disruptions, increased support costs, and potential safety concerns if security or safety devices become unresponsive. The requirement for local access limits remote exploitation but does not eliminate risk in environments where physical or network access is possible for attackers. The lack of patches increases exposure until mitigations or updates are available.

To mitigate CVE-2024-50929, organizations should implement strict physical security controls to prevent unauthorized local access to Z-Wave controllers. Network segmentation and access controls should be enforced to limit local network access to trusted users and devices only. Monitoring and logging of local access attempts can help detect suspicious activity. Until official patches are released by Silicon Labs, firmware updates should be applied promptly once available. Vendors and integrators should verify firmware versions and avoid deploying vulnerable versions in new installations. Additionally, consider deploying intrusion detection systems tailored for IoT and smart home environments to detect anomalous behavior indicative of exploitation attempts. For critical deployments, evaluate alternative controllers or additional layers of redundancy to maintain availability in case of disruption.