Cyber Resilience

CVE-2024-11625

High

Published: 07 January 2025

Published
07 January 2025
Modified
29 July 2025
KEV Added
Patch
CVSS Score v3.1 7.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L
EPSS Score 0.0012 30.4th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-11625 is a high-severity Generation of Error Message Containing Sensitive Information (CWE-209) vulnerability in Progress Sitefinity. Its CVSS base score is 7.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-11 (Error Handling) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2024-11625 is an Information Exposure Through an Error Message vulnerability (CWE-209) in Progress Software Corporation's Sitefinity content management system. It affects Sitefinity versions from 4.0 through 14.4.8142, 15.0.8200 through 15.0.8229, 15.1.8300 through 15.1.8327, and 15.2.8400 through 15.2.8421. The vulnerability has a CVSS v3.1 base score of 7.7 (High), with a vector of AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L, indicating network accessibility, high attack complexity, no privileges or user interaction required, and impacts of high confidentiality and integrity loss alongside low availability disruption.

Unauthenticated remote attackers can exploit this vulnerability over the network by triggering specific error conditions that disclose sensitive information through error messages. Successful exploitation enables high confidentiality impact by exposing potentially sensitive data, high integrity impact through possible manipulation enabled by the leaked information, and low availability impact, though it requires sophisticated techniques due to the high complexity rating.

Progress Software has issued a security advisory detailing mitigation for CVE-2024-11625, available at https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-Addressing-Security-Vulnerabilities-CVE-2024-11625-and-CVE-2024-11626-January-2025. Additional resources on Sitefinity are at https://www.progress.com/sitefinity-cms. Security practitioners should review the advisory for patching instructions and apply updates to affected versions promptly.

EU & UK References

Vulnerability details

Information Exposure Through an Error Message vulnerability in Progress Software Corporation Sitefinity.This issue affects Sitefinity: from 4.0 through 14.4.8142, from 15.0.8200 through 15.0.8229, from 15.1.8300 through 15.1.8327, from 15.2.8400 through 15.2.8421.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1082 System Information Discovery Discovery
An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.
Why these techniques?

CVE enables remote unauthenticated exploitation of a public-facing web app (T1190) resulting in sensitive system/configuration data disclosure via error messages (T1082).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-7201Same product: Progress Sitefinity
CVE-2024-11627Same product: Progress Sitefinity
CVE-2024-11626Same product: Progress Sitefinity
CVE-2026-7198Same product: Progress Sitefinity
CVE-2026-7313Same product: Progress Sitefinity
CVE-2026-7195Same product: Progress Sitefinity
CVE-2026-7312Same product: Progress Sitefinity
CVE-2026-2699Same vendor: Progress
CVE-2025-13774Same vendor: Progress
CVE-2026-6023Same vendor: Progress

Affected Assets

progress
sitefinity
4.0 — 14.4.8143 · 15.0.8200 — 15.0.8230 · 15.1.8300 — 15.1.8328

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the CVE by requiring error handling that prevents disclosure of sensitive information through error messages.

prevent

Ensures timely remediation of the specific flaw in Sitefinity that exposes sensitive data via error messages.

prevent

Filters system outputs, including error messages, to prevent unauthorized exposure of sensitive information to unauthenticated attackers.

References