CVE-2024-7322 in EmberZNet
Summary
by MITRE • 01/15/2025
A ZigBee coordinator, router, or end device may change their node ID when an unsolicited encrypted rejoin response is received, this change in node ID causes Denial of Service (DoS). To recover from this DoS, the network must be re-established
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 09/16/2025
This vulnerability affects ZigBee network devices including coordinators routers and end devices that may experience a denial of service condition when processing unsolicited encrypted rejoin responses. The flaw occurs during the network rejoining process where a device accepts and processes unauthorized rejoin messages that contain encrypted payloads. When such messages are received the device may alter its node identifier resulting in network disruption and service unavailability. The vulnerability specifically targets the node identification management mechanism within the ZigBee protocol stack where device authentication and network membership validation occurs.
The technical implementation of this vulnerability stems from inadequate validation of rejoin response messages within the ZigBee network layer. When a device receives an unsolicited encrypted rejoin response it fails to properly authenticate the message source or validate the integrity of the node ID change request. This allows malicious actors or network anomalies to manipulate device identifiers without proper authorization. The node ID change represents a fundamental disruption to network topology as the device becomes unreachable under its previous identifier while assuming a new one. This behavior violates the expected network stability requirements and creates a condition where legitimate network operations cannot proceed normally.
The operational impact of this vulnerability manifests as a complete denial of service condition that requires significant network recovery efforts. Once affected devices change their node IDs the entire network topology becomes disrupted since other devices cannot locate them using their original identifiers. Network management systems lose connectivity to affected nodes and the overall network functionality degrades substantially. The recovery process necessitates complete network reconfiguration and re-establishment which can take considerable time depending on network size and complexity. This vulnerability particularly affects industrial and IoT environments where continuous network availability is critical for operational processes and automation systems.
Mitigation strategies should focus on implementing strict message validation procedures and authentication mechanisms within ZigBee network implementations. Device firmware should be updated to reject unsolicited rejoin responses that contain node ID changes without proper authorization verification. Network administrators should consider implementing additional network monitoring to detect anomalous node ID changes and alert on suspicious rejoin activities. The vulnerability aligns with CWE-284 Access Control Issues and represents a specific case of improper privilege management within network protocols. From an ATT&CK framework perspective this vulnerability maps to T1499 Endpoint Denial of Service and T1566 Impair Command and Control which could allow adversaries to disrupt network operations and potentially escalate their access within the environment. Organizations should also implement network segmentation and monitoring solutions to detect and prevent unauthorized rejoin operations that could lead to this denial of service condition.