CVE-2024-11497
Published: 14 January 2025
Summary
CVE-2024-11497 is a high-severity Incorrect Permission Assignment for Critical Resource (CWE-732) vulnerability in Vde (inferred from references). Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 40.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2024-11497 is a privilege escalation vulnerability classified under CWE-732 (Incorrect Permission Assignment for Critical Resource), published on 2025-01-14 with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). It enables an authenticated attacker to gain root access on the affected system. The specific software or component impacted is referenced in the VDE-CERT advisory VDE-2024-070.
An attacker with low-level authenticated privileges (PR:L) can exploit this vulnerability remotely over the network (AV:N) with low complexity and no user interaction required. Successful exploitation grants root-level access, resulting in high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H) within the unchanged security scope.
For mitigation details, patches, and additional guidance, refer to the advisory at https://cert.vde.com/en/advisories/VDE-2024-070.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-34375
Vulnerability details
An authenticated attacker can use this vulnerability to perform a privilege escalation to gain root access.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE directly describes a remote authenticated privilege escalation to root via incorrect critical resource permissions (CWE-732), mapping cleanly to Exploitation for Privilege Escalation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely flaw remediation including vendor patches to directly fix the privilege escalation vulnerability stemming from incorrect permission assignment.
Mandates secure configuration settings for system components to ensure critical resources have correct permissions, directly countering CWE-732.
Enforces least privilege to restrict low-privileged authenticated users and processes, limiting the potential for exploitation to gain root access.