CVE-2024-21881
CVE-2024-21881 is a high-severity vulnerability with a CVSS 4.0 base score of 8.6. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-326.
Key facts
- Severity: High (CVSS 4.0 base score 8.6)
- EPSS exploit prediction: 0% (21st percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2024-19492
- Weakness: CWE-326
- Published:
- Last modified:
Description
Inadequate Encryption Strength vulnerability allow an authenticated attacker to execute arbitrary OS Commands via encrypted package upload.This issue affects Envoy: 4.x and 5.x
Frequently asked questions
- What is CVE-2024-21881?
- Inadequate Encryption Strength vulnerability allow an authenticated attacker to execute arbitrary OS Commands via encrypted package upload.This issue affects Envoy: 4.x and 5.x
- How severe is CVE-2024-21881?
- CVE-2024-21881 has a CVSS 4.0 base score of 8.6, rated high severity.
- Is CVE-2024-21881 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (21st percentile), an estimate of the probability of exploitation in the next 30 days.
- How do I fix CVE-2024-21881?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- Does CVE-2024-21881 have an EU (EUVD) identifier?
- Yes. CVE-2024-21881 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2024-19492.
- When was CVE-2024-21881 published?
- CVE-2024-21881 was published on 2024-08-12 and last updated on 2026-06-17.
References
- https://csirt.divd.nl/CVE-2024-21881
- https://csirt.divd.nl/DIVD-2024-00011
- https://enphase.com/cybersecurity/advisories/ensa-2024-6
Other CWE-326 (Inadequate Encryption Strength) vulnerabilities
- CVE-2026-44523 — Critical (CVSS 10.0): Note Mark is an open-source note-taking application. Prior to 0.19.4, no minimum length or entropy is enforced on the…
- CVE-2020-6966 — Critical (CVSS 10.0): In ApexPro Telemetry Server Versions 4.2 and prior, CARESCAPE Telemetry Server v4.2 & prior, Clinical Information…
- CVE-2014-9199 — Critical (CVSS 10.0): The Clorius Controls Java web client before 01.00.0009g allows remote attackers to discover credentials by sniffing the…
- CVE-2018-25272 — Critical (CVSS 9.8): ELBA5 5.8.0 contains a remote code execution vulnerability that allows attackers to obtain database credentials and…
- CVE-2025-12478 — Critical (CVSS 9.8): Non-Compliant TLS Configuration.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5 .
- CVE-2022-24116 — Critical (CVSS 9.8): Certain General Electric Renewable Energy products have inadequate encryption strength. This affects iNET and iNET II…
Browse all CWE-326 (Inadequate Encryption Strength) vulnerabilities →