Cyber Posture

CVE-2024-12651

High

Published: 14 February 2025

Published
14 February 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score 8.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
EPSS Score 0.0010 26.8th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-12651 is a high-severity Exposed Dangerous Method or Function (CWE-749) vulnerability in Gov (inferred from references). Its CVSS base score is 8.5 (High).

Operationally, ranked at the 26.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match
prevent

Enforces approved authorizations for access to system resources, directly preventing low-privileged users from exploiting the exposed dangerous method to manipulate variables and access sensitive data.

SI-10 Information Input Validation good match
prevent

Validates information inputs to the exposed dangerous function, blocking manipulation of user-controlled variables that leads to confidentiality breaches.

AC-6 Least Privilege partial match
prevent

Employs least privilege to restrict low-privileged users from performing actions that result in high-impact unauthorized data access via the vulnerability.

NVD Description

Exposed Dangerous Method or Function vulnerability in PTT Inc. HGS Mobile App allows Manipulating User-Controlled Variables.This issue affects HGS Mobile App: before 6.5.0.

Deeper analysisAI

CVE-2024-12651 is an Exposed Dangerous Method or Function vulnerability in the PTT Inc. HGS Mobile App that allows manipulation of user-controlled variables. This issue affects versions of the HGS Mobile App prior to 6.5.0. The vulnerability is classified under CWE-749 and carries a CVSS v3.1 base score of 8.5 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N), indicating high severity due to its network accessibility, low complexity, and potential for significant confidentiality impact across scope.

A low-privileged user (PR:L) can exploit this vulnerability over the network (AV:N) with low attack complexity and no user interaction required. Successful exploitation enables high-impact confidentiality breaches, such as unauthorized access to sensitive data (C:H), alongside low-impact integrity modifications (I:L), while availability remains unaffected (A:N). The changed scope (S:C) suggests the attack can affect resources beyond the vulnerable component.

Mitigation is addressed in the USOM advisory at https://www.usom.gov.tr/bildirim/tr-25-0034, with upgrading to HGS Mobile App version 6.5.0 or later eliminating the vulnerability in affected versions. Security practitioners should verify patch deployment and review access controls for low-privileged accounts interacting with the app.

Details

CWE(s)
CWE-749

Affected Products

Gov
inferred from references and description; NVD did not file a CPE for this CVE

CVEs Like This One

CVE-2026-5173Shared CWE-749
CVE-2025-47366Shared CWE-749
CVE-2026-35488Shared CWE-749
CVE-2025-59403Shared CWE-749
CVE-2026-30921Shared CWE-749
CVE-2025-53964Shared CWE-749
CVE-2026-30957Shared CWE-749
CVE-2026-3483Shared CWE-749
CVE-2024-13242Shared CWE-749
CVE-2026-22208Shared CWE-749

References