CRA Compliance Report
EU Cyber Resilience Act Assessment • 2025-12-11 22:26
EU Cyber Resilience Act (Regulation 2024/2847)
Table of Contents
Product Information
Product Name
Model Number
Vendor
ABC Vendor
Version
17.12.5
Asset ID
Asset ID
Analysis Date
2025-08-16T09:42:59.224Z
Compliance Overview
The EU Cyber Resilience Act (CRA) establishes cybersecurity requirements for products with digital elements. This assessment evaluates compliance across all Annex I requirements.
63%
Overall Compliance
Part I: Product Security Requirements
11 of 14 clauses assessed
40% Compliant
| Clause | Requirement | Status |
|---|---|---|
| 1 | Appropriate Cybersecurity Level | Partial |
| 2(a) | No Known Exploitable Vulnerabilities | Non-Compliant |
| 2(b) | Secure by Default Configuration | Partial |
| 2(c) | Security Update Capability | Partial |
| 2(d) | Protection from Unauthorized Access | Partial |
| 2(e) | Data Confidentiality | Partial |
| 2(f) | Data Integrity | Partial |
| 2(g) | Data Minimization | Not Assessed |
| 2(h) | Availability Protection | Partial |
| 2(i) | Minimize Network Impact | Partial |
| 2(j) | Limit Attack Surfaces | Partial |
| 2(k) | Exploitation Mitigation | Compliant |
| 2(l) | Security Logging and Monitoring | Not Assessed |
| 2(m) | Secure Data Removal | Not Assessed |
Part II: Vulnerability Handling Requirements
8 of 8 clauses assessed
94% Compliant
| Clause | Requirement | Status |
|---|---|---|
| II-1 | SBOM Documentation | Compliant |
| II-2 | Vulnerability Remediation | Compliant |
| II-3 | Regular Security Testing | Compliant |
| II-4 | Vulnerability Disclosure | Compliant |
| II-5 | Coordinated Vulnerability Disclosure Policy | Compliant |
| II-6 | Vulnerability Information Sharing | Compliant |
| II-7 | Secure Update Distribution | Partial |
| II-8 | Security Update Dissemination | Compliant |
Part I: Product Security Requirements
Clause 1
Appropriate Cybersecurity Level
Partial
Products with digital elements shall be designed, developed and produced in such a way that they ensure an appropriate level of cybersecurity based on the risks.
NetRise Findings
CISA KEV Vulnerabilities
11
Config Checks Failed
5/20
Cracked Credentials
0
Private Keys Exposed
30
Assessment Methodology
Checks Performed:
- CISA KEV vulnerabilities present
- Configuration checks failed
- Cracked credentials detected
- Private keys compromised
Score Calculation: Starting from 100 points:
| CISA KEV vulnerabilities (11 found) | -30 pts |
| Config checks failed (5 failed) | -5 pts |
| Cracked credentials (0 found) | No penalty |
| Private keys exposed (30 found) | -20 pts |
| Final Score | 45 pts |
Status Thresholds: ≥80 = Compliant, 25-79 = Partial, <25 = Non-Compliant
Clause 2(a)
No Known Exploitable Vulnerabilities
Non-Compliant
Products must be delivered without any known exploitable vulnerabilities.
NetRise Findings
CISA KEV Vulnerabilities
11
Weaponized Exploits
47
| CVE | Severity | KEV | Weaponized | EPSS |
|---|---|---|---|---|
| CVE-2021-0920 | MEDIUM | 🔴 Yes | 💥 Yes | 0.9% |
| CVE-2021-22600 | HIGH | 🔴 Yes | 💥 Yes | 0.2% |
| CVE-2021-3156 | HIGH | 🔴 Yes | 💥 Yes | 92.2% |
| CVE-2022-2586 | HIGH | 🔴 Yes | 💥 Yes | 2.2% |
| CVE-2024-36971 | HIGH | 🔴 Yes | 💥 Yes | 0.4% |
| CVE-2024-50302 | MEDIUM | 🔴 Yes | 💥 Yes | 2.8% |
| CVE-2025-38352 | HIGH | 🔴 Yes | 💥 Yes | 0.2% |
| CVE-2024-1086 | HIGH | 🔴 Yes | 💥 Yes | 86.2% |
| CVE-2024-53197 | HIGH | 🔴 Yes | 💥 Yes | 1.8% |
| CVE-2024-53104 | HIGH | 🔴 Yes | 💥 Yes | 12.0% |
Assessment Methodology
Checks Performed:
- Presence of vulnerabilities on CISA Known Exploited Vulnerabilities (KEV) catalog
- Presence of vulnerabilities with weaponized exploits in the wild
Score Calculation:
| CISA KEV vulnerabilities (11 found) | Immediate Non-Compliance (0 pts) |
| Weaponized exploits (47 found) | N/A (KEV present) |
| Final Score | 0 pts |
Compliance Logic: Any CISA KEV vulnerability results in immediate non-compliance. Weaponized exploits without KEV entries result in partial compliance (30 pts).
Clause 2(b)
Secure by Default Configuration
Partial
Products must be made available on the market with a secure by default configuration, unless otherwise agreed between manufacturer and business user in relation to a tailor-made product with digital elements, including the possibility to reset the product to its original state.
NetRise Findings
Config Checks (Total/Failed)
20/5
Critical Failed Checks
1
Cracked Credentials
0
Private Keys Found
30
Assessment Methodology
Checks Performed:
- Cracked/weak credentials detected (passwords that can be easily broken)
- Critical security configuration checks that failed
- Exposed private keys in firmware/software
Score Calculation: Starting from 100 points:
| Cracked credentials (0 found) | No penalty |
| Critical failed config checks (1 found) | -30 pts |
| Private keys exposed (30 found) | -20 pts |
| Final Score | 50 pts |
Status Thresholds: ≥80 = Compliant, 25-79 = Partial, <25 = Non-Compliant
Clause 2(c)
Security Update Capability
Partial
Vendors must ensure that vulnerabilities can be addressed through security updates, including, where applicable, through automatic security updates that are installed within an appropriate timeframe enabled as a default setting, with a clear and easy-to-use opt-out mechanism.
NetRise Findings
Vulnerabilities Tracked
4145
Continuous Monitoring
Enabled via NetRise
Assessment Methodology
Checks Performed:
- Vulnerability tracking and identification capability
- Continuous monitoring for new vulnerabilities
Assessment Notes:
NetRise provides vulnerability identification and continuous monitoring capabilities. However, verification of actual update delivery mechanisms requires operational testing outside the scope of static firmware analysis.
Status: Partial - NetRise confirms monitoring capability, but update mechanism verification requires runtime testing.
Coverage Note: NetRise addresses vulnerability identification and monitoring. Update mechanism verification requires additional operational testing.
Clause 2(d)
Protection from Unauthorized Access
Partial
Products must ensure protection from unauthorised access by appropriate control mechanisms, including but not limited to authentication, identity or access management systems, and report on possible unauthorised access.
NetRise Findings
Critical/High Vulnerabilities
1318
Hardcoded Credentials
85
Exposed Private Keys
30
Certificates
2219
Assessment Methodology
Checks Performed:
- Cracked/weak credentials that could enable unauthorized access
- Exposed private keys that could compromise authentication
- High volume of critical vulnerabilities indicating access control weaknesses
Score Calculation: Starting from 100 points:
| Cracked credentials (0 found) | No penalty |
| Private keys exposed (30 found) | -20 pts |
| Critical vulns >5 (110 found) | -20 pts |
| Final Score | 60 pts |
Status Thresholds: ≥80 = Compliant, 25-79 = Partial, <25 = Non-Compliant
Clause 2(e)
Data Confidentiality
Partial
Products must protect the confidentiality of stored, transmitted or otherwise processed data, personal or other, such as by encrypting relevant data at rest or in transit by state of the art mechanisms, and by using other technical means.
NetRise Findings
Certificates Analyzed
2219
Certificates with Issues
2177
Private Keys Exposed
30
Assessment Methodology
Checks Performed:
- Certificate validity and configuration issues
- Exposed private keys that could compromise encrypted data
Score Calculation: Starting from 100 points:
| Certificates with issues (2177 found) | -30 pts |
| Private keys exposed (30 found) | -30 pts |
| Final Score | 40 pts |
Status Thresholds: ≥80 = Compliant, 25-79 = Partial, <25 = Non-Compliant
Clause 2(f)
Data Integrity
Partial
Products must protect the integrity of stored, transmitted or otherwise processed data, personal or other, commands, programs and configuration against any manipulation or modification not authorised by the user, and report on corruptions.
NetRise Findings
Data Integrity Vulnerabilities
98
CWEs Checked (13 total)
Information Disclosure: CWE-200, CWE-312, CWE-319
Access Control: CWE-284, CWE-285, CWE-862, CWE-863, CWE-22
Weak Crypto: CWE-311, CWE-327
Credential Exposure: CWE-798, CWE-522
Access Control: CWE-284, CWE-285, CWE-862, CWE-863, CWE-22
Weak Crypto: CWE-311, CWE-327
Credential Exposure: CWE-798, CWE-522
⚠ 98 vulnerabilities with data integrity CWEs found - Review recommended.
View Matching CVEs (98 total, showing top 10)
| CVE | Severity | Component | CWEs |
|---|---|---|---|
| CVE-2007-2768 | MEDIUM | openssh 7.4 | CWE-200 |
| CVE-2007-4559 | CRITICAL | python 3.8.5 | CWE-22, CWE-22 |
| CVE-2010-4563 | MEDIUM | linux_kernel 5.4.266 | CWE-200 |
| CVE-2017-3736 | MEDIUM | openssl 1.0.2k | CWE-200 |
| CVE-2017-3738 | MEDIUM | openssl 1.0.2k | CWE-200 |
| CVE-2018-0734 | MEDIUM | openssl 1.0.2k | CWE-327 |
| CVE-2018-0737 | MEDIUM | openssl 1.0.2k | CWE-327 |
| CVE-2018-10844 | MEDIUM | gnutls 3.6.8 | CWE-385, CWE-327 |
| CVE-2018-10845 | MEDIUM | gnutls 3.6.8 | CWE-385, CWE-327 |
| CVE-2018-10846 | MEDIUM | gnutls 3.6.8 | CWE-385, CWE-327 |
Assessment Methodology
Checks Performed:
- Scan for 13 data integrity-related CWEs across 4 vulnerability families
- Information Disclosure: CWE-200, CWE-312, CWE-319
- Access Control Failures: CWE-284, CWE-285, CWE-862, CWE-863, CWE-22
- Weak/Missing Crypto: CWE-311, CWE-327
- Credential Exposure: CWE-798, CWE-522
Score Calculation:
| 0 data integrity CWEs | 100 pts (Compliant) |
| 1-5 data integrity CWEs | 70 pts (Partial) |
| 6-15 data integrity CWEs | 50 pts (Partial) |
| >15 data integrity CWEs | 30 pts (Non-Compliant) |
| Current (98 CWE matches) | 30 pts |
Status Thresholds: ≥80 = Compliant, 25-79 = Partial, <25 = Non-Compliant
Clause 2(g)
Data Minimization
Not Assessed
Products must process only data, personal or other, that are adequate, relevant and limited to what is necessary in relation to the intended purpose of the product with digital elements (data minimisation).
NetRise Findings
Indirect coverage through security risk assessment.
Assessment Methodology
Assessment Status: Not Assessed
Data minimization requirements relate to limiting data collection and processing to what is necessary for the product's intended purpose. This is primarily a design and policy consideration that cannot be fully assessed through static firmware analysis.
Indirect Coverage: NetRise can identify potential data leakage risks through vulnerability analysis, but direct assessment of data minimization practices requires design documentation review.
Coverage Note: NetRise provides indirect coverage through identification of risks that may lead to processing of unintended data.
Clause 2(h)
Availability Protection
Partial
Products must protect the availability of essential and basic functions, also after an incident, including through resilience and mitigation measures against denial-of-service attacks.
NetRise Findings
DoS-Related Vulnerabilities
163
DoS CWEs Checked (12 total)
Resource Exhaustion: CWE-400, CWE-770, CWE-404, CWE-789, CWE-1325
Algorithmic Complexity: CWE-1333, CWE-834, CWE-606
Hang/Freeze: CWE-835, CWE-674, CWE-1322
Crash-on-demand: CWE-617
Algorithmic Complexity: CWE-1333, CWE-834, CWE-606
Hang/Freeze: CWE-835, CWE-674, CWE-1322
Crash-on-demand: CWE-617
⚠ 163 vulnerabilities with DoS-related CWEs found - Review recommended.
View Matching CVEs (163 total, showing top 10)
| CVE | Severity | Component | CWEs |
|---|---|---|---|
| CVE-2012-0876 | MEDIUM | libexpat 1.95.5 | CWE-400 |
| CVE-2017-9233 | HIGH | libexpat 1.95.5 | CWE-835 |
| CVE-2018-0739 | MEDIUM | openssl 1.0.2k | CWE-674 |
| CVE-2018-19591 | HIGH | glibc 2.28 | CWE-20, CWE-404 |
| CVE-2018-20482 | MEDIUM | tar 1.30 | CWE-835 |
| CVE-2018-20796 | HIGH | glibc 2.28 | CWE-674 |
| CVE-2019-15165 | MEDIUM | libpcap 1.9.0 | CWE-770, CWE-770 |
| CVE-2019-19645 | MEDIUM | sqlite 3.26.0 | CWE-674 |
| CVE-2019-3819 | MEDIUM | linux_kernel 5.4.266 | CWE-835, CWE-835 |
| CVE-2019-6488 | HIGH | glibc 2.28 | CWE-404 |
Assessment Methodology
Checks Performed:
- Scan for 12 DoS-related CWEs across 4 vulnerability families
- Resource Exhaustion: CWE-400, CWE-770, CWE-404, CWE-789, CWE-1325
- Algorithmic Complexity (CPU): CWE-1333, CWE-834, CWE-606
- Hang/Freeze: CWE-835, CWE-674, CWE-1322
- Crash-on-demand: CWE-617
Score Calculation:
| 0 DoS-related CWEs | 100 pts (Compliant) |
| 1-3 DoS-related CWEs | 70 pts (Partial) |
| 4-10 DoS-related CWEs | 50 pts (Partial) |
| >10 DoS-related CWEs | 30 pts (Non-Compliant) |
| Current (163 CWE matches) | 30 pts |
Status Thresholds: ≥80 = Compliant, 25-79 = Partial, <25 = Non-Compliant
Clause 2(i)
Minimize Network Impact
Partial
Products must minimise the negative impact by the products themselves or connected devices on the availability of services provided by other devices or networks.
NetRise Findings
Network-Related Vulnerabilities
1318
DoS Vulnerabilities
163
Failed Config Checks
5/20
Assessment Methodology
Checks Performed:
- DoS-related vulnerabilities that could impact network availability
- Critical/High severity vulnerabilities with network impact potential
- Failed security configuration checks
Assessment Notes:
This clause is assessed in conjunction with Clause 2(h) Availability Protection, as DoS vulnerabilities directly impact network service availability.
Score: 30 pts (based on DoS vulnerability assessment)
Status Thresholds: ≥80 = Compliant, 25-79 = Partial, <25 = Non-Compliant
Clause 2(j)
Limit Attack Surfaces
Partial
Products must be designed, developed and produced to limit attack surfaces, including external interfaces.
NetRise Findings
Total Components
907
High-Risk Vulnerabilities
58
Total Vulnerabilities
4145
Assessment Methodology
Checks Performed:
- CISA KEV vulnerabilities (actively exploited attack vectors)
- Weaponized exploits (high-risk attack surface exposure)
- Component count (software attack surface size - threshold: 500)
Score Calculation: Starting from 100 points:
| CISA KEV vulnerabilities (11 found) | -30 pts |
| Weaponized exploits (47 found) | -20 pts |
| Large component count (907 components) | -20 pts |
| Final Score | 30 pts |
Status Thresholds: ≥80 = Compliant, 25-79 = Partial, <25 = Non-Compliant
Clause 2(k)
Exploitation Mitigation
Compliant
Products must be designed, developed and produced to reduce the impact of an incident using appropriate exploitation mitigation mechanisms and techniques.
NetRise Findings
Weak Credentials
0
Exposed Keys
30
Failed Config Checks
5/20
Assessment Methodology
Checks Performed:
- Weak/cracked credentials that facilitate exploitation
- Exposed private keys that could be leveraged in attacks
- Failed security configuration checks that reduce exploit barriers
Score Calculation: Starting from 100 points:
| Weak/cracked credentials (0 found) | No penalty |
| Exposed private keys (30 found) | -20 pts |
| Final Score | 80 pts |
Status Thresholds: ≥80 = Compliant, 25-79 = Partial, <25 = Non-Compliant
Clause 2(l)
Security Logging and Monitoring
Not Assessed
Products must provide security related information by recording and monitoring relevant internal activity, including the access to or modification of data, services or functions, with an opt-out mechanism for the user.
NetRise Findings
Configuration analysis can be customized to verify logging presence.
Assessment Methodology
Assessment Status: Not Assessed
Security logging and monitoring requirements relate to runtime behavior and operational configuration. Static firmware analysis has limited visibility into logging implementations.
Potential Coverage: Custom configuration checks can be developed to identify presence of logging frameworks, syslog configurations, or audit trails in the firmware image.
Coverage Note: Limited coverage. Configuration analysis can be customized to identify presence of monitoring functionality. Runtime analysis capabilities planned for 2026.
Clause 2(m)
Secure Data Removal
Not Assessed
Products must provide the possibility for users to securely and easily remove on a permanent basis all data and settings and, where such data can be transferred to other products or systems, ensure that this is done in a secure manner.
NetRise Findings
Configuration analysis can be customized to verify data removal capability.
Assessment Methodology
Assessment Status: Not Assessed
Secure data removal is primarily a functional capability that requires runtime testing to verify. Static analysis cannot confirm data removal procedures are implemented correctly.
Potential Coverage: Custom configuration checks can identify presence of factory reset mechanisms or data wipe utilities in the firmware.
Coverage Note: Limited coverage. Configuration analysis can be customized to identify presence of data removal functionality.
Part II: Vulnerability Handling Requirements
Clause II-1
SBOM Documentation
Compliant
Vendors must identify and document vulnerabilities and components contained in products with digital elements, including by drawing up a software bill of materials in a commonly used and machine-readable format covering at the very least the top-level dependencies of the products.
NetRise Findings
Total Components (SBOM)
907
Components with Vulnerabilities
65
Clean Components (No CVEs)
842 (92.8%)
Total Vulnerabilities
4145
Assessment Methodology
Checks Performed:
- SBOM generation capability (component enumeration)
- Component-to-vulnerability correlation
- Export format support (CycloneDX, SPDX)
Assessment Logic:
Compliant if components are identified (907 found). The SBOM provides complete visibility into 907 software components, with 65 having known vulnerabilities and 842 (92.8%) being clean.
Supported Formats:
CycloneDX
SPDX
Clause II-2
Vulnerability Remediation
Compliant
Vendors must, in relation to the risks posed to products with digital elements, address and remediate vulnerabilities without delay, including by providing security updates; where technically feasible, new security updates shall be provided separately from functionality updates.
NetRise Findings
Vulnerabilities Tracked
4145
Critical/High Priority
1318
With Known Fix Available
94
Continuous Monitoring
Enabled
Assessment Methodology
Checks Performed:
- Vulnerability discovery and tracking
- Fix version availability identification
- Continuous monitoring for new vulnerabilities
Assessment Logic:
NetRise provides automated vulnerability discovery, prioritization, and remediation guidance. 4145 vulnerabilities tracked, with 94 having known fixes available.
Clause II-3
Regular Security Testing
Compliant
Vendors must apply effective and regular tests and reviews of the security of the product with digital elements.
NetRise Findings
CI/CD Integration
Available
Continuous Monitoring
Active
Automated Analysis
Enabled
Assessment Methodology
Checks Performed:
- CI/CD pipeline integration capability
- Continuous security monitoring
- Automated firmware/software analysis
Assessment Logic:
NetRise supports integration into development pipelines for regular security testing. Continuous monitoring ensures new vulnerabilities are identified as they are disclosed.
Clause II-4
Vulnerability Disclosure
Compliant
Once a security update has been made available, vendors must share and publicly disclose information about fixed vulnerabilities, including a description of the vulnerabilities, information allowing users to identify the product with digital elements affected, the impacts of the vulnerabilities, their severity and clear and accessible information helping users to remediate the vulnerabilities.
NetRise Findings
VEX Generation
Supported
Disclosure Format
Standardized
Vulnerability Details
4145 documented
Assessment Methodology
Checks Performed:
- VEX (Vulnerability Exploitability Exchange) document generation
- Standardized vulnerability disclosure format
- Impact and severity information availability
Assessment Logic:
NetRise supports VEX document generation for standardized vulnerability disclosure. All 4145 identified vulnerabilities include severity ratings, descriptions, and remediation guidance.
Supported Formats:
VEX
Clause II-5
Coordinated Vulnerability Disclosure Policy
Compliant
Vendors must put in place and enforce a policy on coordinated vulnerability disclosure.
NetRise Findings
VEX Support
Enabled
Impact Assessment
Available
Severity Classification
CVSS-based
Assessment Methodology
Checks Performed:
- VEX document support for coordinated disclosure
- Vulnerability impact assessment capability
- Standardized severity classification (CVSS)
Assessment Logic:
NetRise supports coordinated vulnerability disclosure through VEX document generation, enabling standardized communication with stakeholders about vulnerability status and impact.
Clause II-6
Vulnerability Information Sharing
Compliant
Vendors must take measures to facilitate the sharing of information about potential vulnerabilities in their product with digital elements as well as in third-party components contained in that product, including by providing a contact address for the reporting of the vulnerabilities discovered in the product with digital elements.
NetRise Findings
Third-Party Vulnerabilities
4145
Shareable Reports
Available
Export Formats
VEX, SBOM
Assessment Methodology
Checks Performed:
- Third-party component vulnerability tracking
- Exportable vulnerability reports
- Multiple format support for information sharing
Assessment Logic:
NetRise identifies and tracks 4145 vulnerabilities in third-party components. Reports can be exported in VEX, CycloneDX, and SPDX formats for stakeholder sharing.
Supported Formats:
VEX
CycloneDX
SPDX
Clause II-7
Secure Update Distribution
Partial
Vendors must provide for mechanisms to securely distribute updates for products with digital elements to ensure that vulnerabilities are fixed or mitigated in a timely manner and, where applicable for security updates, in an automatic manner.
NetRise Findings
Version Tracking
Enabled
Patch Validation
Available
Fix Version Detection
94 vulns with fixes
Assessment Methodology
Checks Performed:
- Software version tracking across assets
- Patch validation through re-analysis
- Fix version availability detection
Assessment Logic:
NetRise provides version tracking and can validate patches through re-analysis. 94 vulnerabilities have known fix versions identified. Status is Partial as actual update distribution mechanisms require operational verification.
Clause II-8
Security Update Dissemination
Compliant
Vendors must ensure that, where security updates are available to address identified security issues, they are disseminated without delay and free of charge, accompanied by advisory messages providing users with the relevant information, including on potential action to be taken.
NetRise Findings
Advisory Generation
VEX Supported
Remediation Guidance
Available
Prioritization Data
EPSS, KEV, CVSS
Assessment Methodology
Checks Performed:
- VEX-formatted security advisory generation
- Remediation guidance availability
- Vulnerability prioritization data (EPSS, KEV, CVSS)
Assessment Logic:
NetRise supports VEX document generation for security advisory dissemination. Advisories include severity, impact, fix availability, and prioritization data to help users take appropriate action.
Supported Formats:
VEX
Detailed Findings
Prioritized Vulnerabilities
Vulnerabilities prioritized by exploitability and impact (showing top 20)
| CVE | Severity | Component | Risk Indicators | EPSS |
|---|---|---|---|---|
| CVE-2021-3156 | HIGH | sudo 1.8.25 | 🔴 KEV 💥 Weaponized | 92.2% |
| CVE-2024-1086 | HIGH | linux_kernel 5.4.266 | 🔴 KEV 💥 Weaponized | 86.2% |
| CVE-2024-53104 | HIGH | linux_kernel 5.4.266 | 🔴 KEV 💥 Weaponized | 12.0% |
| CVE-2022-2586 | HIGH | linux_kernel 5.4.266 | 🔴 KEV 💥 Weaponized | 2.2% |
| CVE-2024-53197 | HIGH | linux_kernel 5.4.266 | 🔴 KEV 💥 Weaponized | 1.8% |
| CVE-2024-53150 | HIGH | linux_kernel 5.4.266 | 🔴 KEV 💥 Weaponized | 1.6% |
| CVE-2024-36971 | HIGH | linux_kernel 5.4.266 | 🔴 KEV 💥 Weaponized | 0.4% |
| CVE-2025-38352 | HIGH | linux_kernel 5.4.266 | 🔴 KEV 💥 Weaponized | 0.2% |
| CVE-2021-22600 | HIGH | linux_kernel 5.4.266 | 🔴 KEV 💥 Weaponized | 0.2% |
| CVE-2024-50302 | MEDIUM | linux_kernel 5.4.266 | 🔴 KEV 💥 Weaponized | 2.8% |
| CVE-2021-0920 | MEDIUM | linux_kernel 5.4.266 | 🔴 KEV 💥 Weaponized | 0.9% |
| CVE-2023-38408 | CRITICAL | openssh 8.3 | 💥 Weaponized | 67.1% |
| CVE-2023-38408 | CRITICAL | openssh 7.4 | 💥 Weaponized | 67.1% |
| CVE-2023-38408 | CRITICAL | openssh 8.0 | 💥 Weaponized | 67.1% |
| CVE-2023-38408 | CRITICAL | openssh 7.4 | 💥 Weaponized | 67.1% |
| CVE-2023-38408 | CRITICAL | openssh 7.9 | 💥 Weaponized | 67.1% |
| CVE-2023-38408 | CRITICAL | openssh 8.3 | 💥 Weaponized | 67.1% |
| CVE-2024-23334 | HIGH | aiohttp 3.7.2 | 💥 Weaponized | 93.6% |
| CVE-2024-2961 | HIGH | glibc 2.32 | 💥 Weaponized | 92.9% |
| CVE-2024-2961 | HIGH | glibc 2.28 | 💥 Weaponized | 92.9% |
Configuration Findings
Security configuration checks performed: 20 total
Total Checks
20
Passed
11
Failed
5
| Check | Result | Severity | Details |
|---|---|---|---|
| Users with no password set | FAIL | CRITICAL | AUTHENTICATION: Disable login or set a password for the specified users. |
| World writable and readable directories outside tmp | FAIL | MEDIUM | CONFIGURATION: Modify the permissions to restrict access to the directories. |
| Services Without Configuration Files | FAIL | LOW | CONFIGURATION: Include config files for the associated services to further secure installation. |
| Weak hash algorithms found | FAIL | MEDIUM | CRYPTOGRAPHY: Replace weak hashing algorithms with stronger algorithms. |
| Insecure URL | FAIL | MEDIUM | DATA: Check individual URL problem descriptions |
| Multiple users with UID 0 | PASS | — | Check passed |
| Overly permissive access to passwd files | PASS | — | Check passed |
| Authorized Key with Matching Private Key | PASS | — | Check passed |
| History file present on disk | PASS | — | Check passed |
| Sudoers file with weak permissions | PASS | — | Check passed |
| Multiple groups with the same Group ID | PASS | — | Check passed |
| Binaries with Memory Corruption Vulnerabilities and Protection Disabled | PASS | — | Check passed |
| Telnet server exists | PASS | — | Check passed |
| SELinux is disabled | PASS | — | Check passed |
| fstab should always have permissions of 0644 | PASS | — | Check passed |
| Insecure services start at boot | PASS | — | Check passed |
| GTFOBins installed with setuid bit enabled can lead to privilege escalation | PASS | — | Check passed |
| One or more compilers exist | PASS | — | Check passed |
| Sudoers file missing | PASS | — | Check passed |
| Cronjobs with weak permissions | PASS | — | Check passed |
Credential Findings
Credentials and password hashes detected in firmware
Total Accounts
85
Hashes Identified
7
Hashes Cracked
0
✓ No password hashes were successfully cracked.
Cryptographic Material
Keys and certificates discovered in firmware
Private Keys
30
Public Keys
2379
Keypairs
20
Certificates
2219
Certs with Issues
2177 (98%)
⚠ Keypairs Found (20) - Critical Security Risk
Complete keypairs (matching public and private keys) were found. This means attackers can extract both keys and fully impersonate the device or decrypt its communications.
Algorithms:
rsa
⚠ Private Keys Found (30)
Embedded private keys can be extracted and used to compromise encrypted communications or impersonate the device.
Algorithms:
rsa
dsa
ecdsa
Recommendations
Priority Actions for CRA Compliance
- Address CISA KEV Vulnerabilities: 11 vulnerabilities are on the CISA Known Exploited Vulnerabilities list. These must be remediated as a priority per Clause 2(a).
- Remediate Weaponized Exploits: 47 vulnerabilities have known weaponized exploits and pose immediate risk.
- Address Failed Configuration Checks: 5 of 20 security configuration checks failed and require remediation.
- Maintain SBOM Documentation: Ensure the Software Bill of Materials is kept current and available in CycloneDX or SPDX format per Part II Clause 1.
- Establish Vulnerability Disclosure Process: Implement VEX document generation for vulnerability disclosure per Part II Clauses 4-6.
- Continuous Monitoring: Enable continuous vulnerability monitoring to detect new threats as they emerge.
Generated by NetRise Platform • 2025-12-11 22:26
This report provides an assessment of CRA compliance based on NetRise platform analysis.
