CVE-2024-12651
Published: 14 February 2025
Summary
CVE-2024-12651 is a high-severity Exposed Dangerous Method or Function (CWE-749) vulnerability in Gov (inferred from references). Its CVSS base score is 8.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
CVE-2024-12651 is an Exposed Dangerous Method or Function vulnerability in the PTT Inc. HGS Mobile App that allows manipulation of user-controlled variables. This issue affects versions of the HGS Mobile App prior to 6.5.0. The vulnerability is classified under CWE-749 and carries a CVSS v3.1 base score of 8.5 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N), indicating high severity due to its network accessibility, low complexity, and potential for significant confidentiality impact across scope.
A low-privileged user (PR:L) can exploit this vulnerability over the network (AV:N) with low attack complexity and no user interaction required. Successful exploitation enables high-impact confidentiality breaches, such as unauthorized access to sensitive data (C:H), alongside low-impact integrity modifications (I:L), while availability remains unaffected (A:N). The changed scope (S:C) suggests the attack can affect resources beyond the vulnerable component.
Mitigation is addressed in the USOM advisory at https://www.usom.gov.tr/bildirim/tr-25-0034, with upgrading to HGS Mobile App version 6.5.0 or later eliminating the vulnerability in affected versions. Security practitioners should verify patch deployment and review access controls for low-privileged accounts interacting with the app.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-51025
Vulnerability details
Exposed Dangerous Method or Function vulnerability in PTT Inc. HGS Mobile App allows Manipulating User-Controlled Variables. This issue affects HGS Mobile App: before 6.5.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Exposed dangerous method (CWE-749) in network-accessible app directly enables remote exploitation of public-facing application (T1190) and privilege escalation via variable manipulation leading to scope change (T1068).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces access control decisions so that low-privileged users cannot invoke the exposed dangerous method or manipulate user-controlled variables.
Restricts low-privileged accounts from reaching the dangerous functionality that the vulnerability exposes.
Validates or sanitizes user-supplied variables before they are used by the exposed method, blocking manipulation attacks.