CVE-2024-54984 identifies a critical authentication bypass vulnerability in the Quectel BG96 cellular module, specifically the BG96MAR02A08M1G firmware. The flaw arises from improper validation of NAS (Non-Access Stratum) protocol messages, which are used for signaling between the cellular device and the network core. An attacker capable of sending a specially crafted NAS message can bypass the module's authentication mechanisms, effectively gaining unauthorized access to the device's cellular functions. This can lead to full compromise of the device's confidentiality, integrity, and availability, as the attacker can manipulate or disrupt cellular communications. The vulnerability is notable for requiring no privileges or user interaction, and it can be exploited remotely over the network. Despite the supplier disputing the vulnerability, the CVSS 3.1 score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) reflects the high severity and ease of exploitation. No patches or firmware updates have been publicly released, and no active exploits have been reported in the wild. The issue is categorized under CWE-306, indicating missing or insufficient authentication controls. The vulnerability poses a significant risk to IoT, M2M, and embedded systems that rely on Quectel BG96 modules for cellular connectivity, potentially allowing attackers to intercept, manipulate, or disrupt communications and data flows.

The impact of CVE-2024-54984 is severe for organizations deploying Quectel BG96 modules in their IoT, M2M, or embedded device fleets. Successful exploitation can lead to complete compromise of device communications, enabling attackers to intercept sensitive data, inject malicious commands, disrupt service availability, or pivot into internal networks. This threatens confidentiality, integrity, and availability of critical systems, especially in industrial automation, smart metering, transportation, and telecommunications infrastructure. The lack of required privileges or user interaction lowers the barrier for attackers, increasing the likelihood of exploitation once the vulnerability is known. The absence of patches means organizations remain exposed until mitigations or firmware updates are available. This vulnerability could also undermine trust in cellular-based security controls and impact compliance with data protection regulations if exploited.

Given the absence of official patches, organizations should implement network-level mitigations such as filtering and monitoring NAS protocol traffic to detect and block anomalous or malformed messages targeting Quectel BG96 modules. Deploying cellular firewalls or intrusion detection systems that understand NAS signaling can help prevent exploitation. Segmentation of IoT and M2M devices from critical networks reduces potential lateral movement. Device vendors and integrators should engage with Quectel for firmware updates or advisories and plan for timely patch deployment once available. Additionally, organizations should perform thorough asset inventories to identify affected devices and apply compensating controls such as disabling unnecessary cellular features or restricting device access to trusted networks. Continuous monitoring for unusual cellular activity and anomaly detection can provide early warning of exploitation attempts.