CVE-2024-5947 is a vulnerability identified in Deep Sea Electronics DSE855 controllers, version 1.1.0, classified under CWE-306 (Missing Authentication for Critical Function). The flaw resides in the device's web-based user interface, where a critical configuration backup function is exposed without any authentication requirement. This allows an attacker with network adjacency—meaning they can reach the device over the network—to access sensitive configuration data, including stored credentials. Since no authentication or user interaction is required, the attacker can directly retrieve this information, which could be leveraged to gain deeper access or control over the device or related infrastructure. The vulnerability has a CVSS 3.0 base score of 6.5, reflecting a medium severity level, with a vector indicating low attack complexity, no privileges required, and no user interaction needed. The scope is unchanged, and the impact is high on confidentiality but none on integrity or availability. No patches or mitigations have been officially released yet, and no active exploits have been reported. The vulnerability was disclosed by the Zero Day Initiative (ZDI) under the identifier ZDI-CAN-22679 and published on June 13, 2024.

The primary impact of CVE-2024-5947 is the unauthorized disclosure of sensitive configuration data and credentials stored within the DSE855 device. This exposure can lead to further compromise, such as unauthorized configuration changes, device control, or lateral movement within the network. Organizations relying on DSE855 controllers—commonly used in industrial control systems, power generation, and backup power management—may face increased risk of operational disruption or espionage. While the vulnerability does not directly affect device integrity or availability, the leaked credentials can facilitate more severe attacks. The lack of authentication and ease of exploitation increase the likelihood of exploitation in environments where network segmentation or access controls are weak. This could lead to breaches in critical infrastructure sectors, potentially impacting energy providers, manufacturing plants, and other industrial operations globally.

Until an official patch is released, organizations should implement strict network segmentation to isolate DSE855 devices from untrusted networks and limit access to trusted administrators only. Employ firewall rules to restrict access to the device's web interface, allowing connections only from authorized management stations. Monitor network traffic and device logs for unusual access patterns or repeated unauthorized attempts. Change any default or weak credentials on the device and rotate credentials regularly to reduce the risk of credential compromise. If possible, disable the web-based configuration backup feature or restrict its availability. Engage with Deep Sea Electronics support channels to obtain updates on patch availability and apply them promptly once released. Additionally, consider deploying intrusion detection systems (IDS) tuned to detect reconnaissance or exploitation attempts targeting the DSE855 web interface.