CVE-2024-58337 is an improper access control vulnerability identified in several Akuvox Smart Doorphone models (S539, S532, X916, X915, X912). The vulnerability arises because the device firmware does not enforce adequate authorization checks on API access settings and configurations. Specifically, users assigned 'User' privileges, which are typically limited, can exploit this flaw to modify API configurations that should be restricted to administrators. This lack of authorization validation allows privilege escalation, granting attackers unauthorized administrative access to the device's management functions. The vulnerability is remotely exploitable over the network (AV:N), requires low attack complexity (AC:L), and does not require user interaction (UI:N) or additional authentication beyond user-level access (PR:L). The impact on confidentiality, integrity, and availability is high (VC:H, VI:H, VA:H), as attackers can manipulate device settings, potentially disabling security features or gaining persistent control. The vulnerability affects multiple widely deployed Akuvox models used in smart intercom and doorphone systems, which are often integrated into building security and access control infrastructures. Although no known exploits have been reported in the wild, the high CVSS score (8.7) and the nature of the vulnerability make it a significant threat, especially in environments where these devices control physical access. The vulnerability was published on December 30, 2025, with no patches currently linked, emphasizing the need for urgent vendor response and mitigation by users.

For European organizations, the impact of CVE-2024-58337 is substantial due to the critical role smart doorphones play in physical security and access control. Unauthorized administrative access could allow attackers to manipulate entry permissions, disable security alerts, or create backdoors into corporate or residential buildings. This can lead to physical security breaches, theft, espionage, or sabotage. Organizations in sectors such as finance, government, healthcare, and critical infrastructure are particularly vulnerable, as these sectors rely heavily on secure access control systems. Additionally, the compromise of these devices could serve as a pivot point for further network intrusion, as smart doorphones often connect to internal networks. The high severity and ease of exploitation increase the likelihood of targeted attacks, especially in environments where user accounts with 'User' privileges are common and not tightly controlled. The absence of known exploits in the wild currently limits immediate widespread impact but does not reduce the urgency for mitigation, as attackers may develop exploits rapidly once the vulnerability is public.

European organizations should immediately audit their Akuvox Smart Doorphone deployments to identify affected models (S539, S532, X916, X915, X912). Until official patches are released, organizations should implement strict network segmentation to isolate these devices from critical internal networks, limiting exposure to potential attackers. Access controls should be reviewed and tightened to minimize the number of users with 'User' privileges, and strong authentication mechanisms should be enforced for all device access. Monitoring and logging of API access and configuration changes should be enabled to detect suspicious activities promptly. If possible, disable remote management features or restrict them to trusted IP addresses. Organizations should engage with Akuvox for patch timelines and apply updates immediately upon release. Additionally, consider deploying compensating controls such as network intrusion detection systems (NIDS) to identify anomalous traffic patterns targeting these devices. Physical security policies should be reinforced to mitigate risks from compromised devices. Finally, staff training on the risks associated with IoT and smart devices should be enhanced to raise awareness.