Cyber Posture

CVE-2024-12917

High

Published: 24 February 2025

Published
24 February 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score 8.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
EPSS Score 0.0015 35.8th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-12917 is a high-severity Files or Directories Accessible to External Parties (CWE-552) vulnerability in Gov (inferred from references). Its CVSS base score is 8.3 (High).

Operationally, ranked at the 35.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and CM-6 (Configuration Settings).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match
prevent

Enforces approved authorizations for logical access to files and directories, directly preventing unauthorized external access due to misconfigured access controls.

CM-6 Configuration Settings good match
prevent

Establishes secure configuration settings for access controls, mitigating exploitation of incorrectly configured security levels in Health4All.

AC-6 Least Privilege partial match
prevent

Restricts low-privilege users (PR:L) to minimal necessary access, limiting the impact of authentication abuse and unauthorized file exposure.

NVD Description

Files or Directories Accessible to External Parties vulnerability in Agito Computer Health4All allows Exploiting Incorrectly Configured Access Control Security Levels, Authentication Abuse.This issue affects Health4All: before 10.01.2025.

Deeper analysisAI

CVE-2024-12917 is a Files or Directories Accessible to External Parties vulnerability (CWE-552) in Agito Computer Health4All software. It enables exploitation of incorrectly configured access control security levels and authentication abuse, affecting Health4All versions prior to 10.01.2025. The vulnerability has a CVSS v3.1 base score of 8.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L), indicating high severity due to network accessibility, low complexity, and significant impacts on confidentiality and integrity.

An attacker with low privileges (PR:L) can exploit this vulnerability over the network without user interaction. Successful exploitation allows external access to sensitive files or directories, potentially leading to high confidentiality loss through data exposure, high integrity compromise via unauthorized modifications, and low availability disruption.

The USOM advisory at https://www.usom.gov.tr/bildirim/tr-25-0042 provides details on this issue. Mitigation involves upgrading Health4All to version 10.01.2025 or later, as the vulnerability affects only prior releases. Security practitioners should review access controls and authentication mechanisms in affected environments.

Details

CWE(s)
CWE-552

Affected Products

Gov
inferred from references and description; NVD did not file a CPE for this CVE

CVEs Like This One

CVE-2020-37082Shared CWE-552
CVE-2024-48864Shared CWE-552
CVE-2025-41240Shared CWE-552
CVE-2024-47518Shared CWE-552
CVE-2024-57452Shared CWE-552
CVE-2026-34361Shared CWE-552
CVE-2026-35446Shared CWE-552
CVE-2025-11371Shared CWE-552
CVE-2024-47106Shared CWE-552
CVE-2025-37168Shared CWE-552

References