A critical vulnerability in the Advanced Software Framework (ASF) of Microchip was recently discovered and it should serve as a reminder of the growing security risks in the IoT segment. Tracked as CVE-2024-7490, the vulnerability has a CVSS score of 9.5 and is placing among the most severe types of threats. It is basically a weakness that stem from inadequate input validation in the tinydhcp server.

IoT devices running outdated ASF versions are sitting ducks for attackers. A simple crafted DHCP request can easily trigger the flaw and hackers can take control of the devices. Given that ASF is no longer supported and widely used in IoT-centric code, the potential scale of exploitation is vast, affecting everything from smart home gadgets to critical infrastructure.

This vulnerability is not just a technical problem; it highlights a much larger issue—IoT security is woefully unprepared for the real world. Many IoT devices, once deployed, are rarely updated or patched, leaving them exposed to emerging threats.

This isn’t the only example of IoT vulnerabilities flying under the radar. SonicWall recently reported a zero-click vulnerability (CVE-2024-20017) affecting MediaTek Wi-Fi chipsets, with a similarly high CVSS score of 9.8. Like the ASF flaw, it could allow remote code execution, requiring no user interaction. While a patch exists, the existence of proof-of-concept exploits increases the likelihood of real-world attacks.

IoT manufacturers, developers and users need to take security more seriously. Patches should be timely and frameworks must be rigorously tested. The industry should move toward more proactive security models. Vulnerabilities like these expose the dark side of IoT. We rely on convenience and innovation, but these can be easily exploited if security is not at the forefront.