Cyber Resilience

CVE-2024-12651

HighUpdated

Published: 14 February 2025

Published
14 February 2025
Modified
01 June 2026
KEV Added
Patch
CVSS Score v3.1 8.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
EPSS Score 0.0010 27.1th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-12651 is a high-severity Exposed Dangerous Method or Function (CWE-749) vulnerability in Gov (inferred from references). Its CVSS base score is 8.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2024-12651 is an Exposed Dangerous Method or Function vulnerability in the PTT Inc. HGS Mobile App that allows manipulation of user-controlled variables. This issue affects versions of the HGS Mobile App prior to 6.5.0. The vulnerability is classified under CWE-749 and carries a CVSS v3.1 base score of 8.5 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N), indicating high severity due to its network accessibility, low complexity, and potential for significant confidentiality impact across scope.

A low-privileged user (PR:L) can exploit this vulnerability over the network (AV:N) with low attack complexity and no user interaction required. Successful exploitation enables high-impact confidentiality breaches, such as unauthorized access to sensitive data (C:H), alongside low-impact integrity modifications (I:L), while availability remains unaffected (A:N). The changed scope (S:C) suggests the attack can affect resources beyond the vulnerable component.

Mitigation is addressed in the USOM advisory at https://www.usom.gov.tr/bildirim/tr-25-0034, with upgrading to HGS Mobile App version 6.5.0 or later eliminating the vulnerability in affected versions. Security practitioners should verify patch deployment and review access controls for low-privileged accounts interacting with the app.

EU & UK References

Vulnerability details

Exposed Dangerous Method or Function vulnerability in PTT Inc. HGS Mobile App allows Manipulating User-Controlled Variables. This issue affects HGS Mobile App: before 6.5.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Exposed dangerous method (CWE-749) in network-accessible app directly enables remote exploitation of public-facing application (T1190) and privilege escalation via variable manipulation leading to scope change (T1068).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-5173Shared CWE-749
CVE-2026-30921Shared CWE-749
CVE-2024-13242Shared CWE-749
CVE-2026-3483Shared CWE-749
CVE-2026-8108Shared CWE-749
CVE-2025-47366Shared CWE-749
CVE-2026-30957Shared CWE-749
CVE-2026-4051Shared CWE-749
CVE-2026-33583Shared CWE-749
CVE-2025-53964Shared CWE-749

Affected Assets

Gov
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces access control decisions so that low-privileged users cannot invoke the exposed dangerous method or manipulate user-controlled variables.

prevent

Restricts low-privileged accounts from reaching the dangerous functionality that the vulnerability exposes.

prevent

Validates or sanitizes user-supplied variables before they are used by the exposed method, blocking manipulation attacks.

References