CVE-2024-57375 is a medium-severity vulnerability affecting Andamiro's Pump It Up 20th Anniversary edition (also known as Double X or XX/2019), versions 1.00.0 through 2.08.3. The vulnerability is classified under CWE-1419, which relates to incorrect initialization of resources. Specifically, this flaw allows a physically proximate attacker to trigger a denial of service (DoS) condition by causing the application to crash through certain deselect actions. The vulnerability arises because the application does not properly initialize or manage resources when handling deselect commands, leading to unstable application states and crashes. Exploitation requires physical proximity to the affected system, as the attacker must interact directly with the device or its interface to perform the deselect actions that trigger the crash. There are no known exploits in the wild at this time, and no patches have been published yet. The vulnerability does not appear to allow remote exploitation, privilege escalation, or data compromise, but it does impact the availability of the application by causing it to crash unexpectedly. The affected product is a specialized arcade-style rhythm game machine, which is typically deployed in entertainment venues such as arcades, gaming centers, and recreational facilities. The technical details indicate that the vulnerability was reserved in early 2025 and publicly disclosed in April 2025, with enrichment from CISA, highlighting its recognition by cybersecurity authorities.

For European organizations, the primary impact of CVE-2024-57375 is on availability. Facilities that operate Andamiro Pump It Up arcade machines could experience service disruptions if an attacker physically interacts with the device to trigger the crash. This could lead to downtime of the gaming machines, resulting in loss of revenue for entertainment venues and potential reputational damage if customers experience frequent interruptions. Since the vulnerability requires physical proximity, the risk is largely limited to environments where the machines are accessible to the public or untrusted individuals. There is no direct impact on confidentiality or integrity of data, nor does the vulnerability facilitate remote compromise or lateral movement within networks. However, in venues where these machines are integrated into broader networked systems (e.g., for score tracking or payment processing), repeated crashes could indirectly affect operational workflows. The impact is therefore mostly localized to the availability of the affected arcade machines rather than enterprise-wide IT infrastructure.

Given the physical proximity requirement and the nature of the vulnerability, mitigation should focus on both technical and physical controls. Operators should: 1) Restrict physical access to the arcade machines by placing them in supervised or monitored areas to prevent unauthorized interaction. 2) Implement operational procedures to quickly restart or reset machines if crashes occur to minimize downtime. 3) Monitor for unusual deselect actions or repeated crashes that could indicate attempted exploitation. 4) Engage with Andamiro to obtain patches or firmware updates as soon as they become available and apply them promptly. 5) If possible, configure the machines to limit or disable deselect actions that are not essential to gameplay or operation. 6) Train staff to recognize signs of tampering or misuse that could trigger the vulnerability. 7) Maintain an inventory of affected devices to prioritize patching and monitoring efforts. These steps go beyond generic advice by emphasizing physical security, operational readiness, and vendor engagement specific to arcade machine environments.