Cyber Resilience

CVE-2024-11716

Medium

Published: 02 January 2025

Published
02 January 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0513 90.1th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-11716 is a medium-severity Improper Enforcement of a Single, Unique Action (CWE-837) vulnerability in Ctfd (inferred from references). Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 9.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

CTFd, an open-source capture-the-flag platform, contains a logic flaw in its team (bracket) assignment mechanism that affects versions 3.7.0 through 3.7.4. Although bracket assignment is intended to occur only once during initial registration, the implementation permits an authenticated user to reset an existing bracket assignment and select a different one after a competition has begun.

An authenticated participant can therefore exploit the issue to switch teams mid-event, potentially gaining access to another team's progress, challenges, or scoring data. The vulnerability carries a CVSS 4.0 score of 5.3 and is tracked under CWE-837 for improper enforcement of behavioral workflow.

The flaw was corrected in release 3.7.5 by pull request 2636, as noted in the CTFd 3.7.5 announcement and related advisories from CERT.pl and Full Disclosure. Administrators are advised to upgrade to the patched version to restore the intended one-time assignment restriction.

EPSS scores have remained low, with a current value of 0.0513 and a peak of 0.0658, indicating limited observed exploitation interest to date.

EU & UK References

Vulnerability details

While assignment of a user to a team (bracket) in CTFd should be possible only once, at the registration, a flaw in logic implementation allows an authenticated user to reset it's bracket and then pick a new one, joining another…

more

team while a competition is already ongoing. This issue impacts releases from 3.7.0 up to 3.7.4 and was addressed by pull request 2636 https://github.com/CTFd/CTFd/pull/2636 included in 3.7.5 release.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1098.007 Additional Local or Domain Groups Persistence
An adversary may add additional local or domain groups to an adversary-controlled account to maintain persistent access to a system or domain.
Why these techniques?

Logic flaw in public-facing CTFd web app allows authenticated users to manipulate team/group assignments mid-event.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-44601Shared CWE-837
CVE-2026-42609Shared CWE-837

Affected Assets

Ctfd
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-3 enforces approved authorizations for logical access, directly preventing the unauthorized reset and change of team assignment after registration due to the logic flaw.

prevent

SI-2 requires timely remediation of identified flaws, such as patching CTFd to version 3.7.5 or later to fix the team-switching vulnerability.

prevent

AC-2 manages account attributes including conditions for group and role membership, addressing team assignment restrictions to limit changes post-registration.

References