Cyber Resilience

CVE-2024-13251

High

Published: 09 January 2025

Published
09 January 2025
Modified
04 June 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0047 65.0th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-13251 is a high-severity Incorrect Privilege Assignment (CWE-266) vulnerability in Registration Role Project Registration Role. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 35.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-6 (Least Privilege).

Deeper analysis

CVE-2024-13251 is an Incorrect Privilege Assignment vulnerability (CWE-266) in the Drupal Registration role module that allows privilege escalation. The issue affects the Registration role module from version 0.0.0 before 2.0.1. Published on January 9, 2025, it has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.

An authenticated attacker with low privileges can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation enables privilege escalation, granting high-level access that compromises confidentiality, integrity, and availability of the affected Drupal instance.

The Drupal security advisory SA-CONTRIB-2024-015 details the vulnerability and mitigation steps, available at https://www.drupal.org/sa-contrib-2024-015. Administrators should upgrade the Registration role module to version 2.0.1 or later to remediate the issue.

EU & UK References

Vulnerability details

Incorrect Privilege Assignment vulnerability in Drupal Registration role allows Privilege Escalation.This issue affects Registration role: from 0.0.0 before 2.0.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Direct privilege escalation via incorrect role assignment in authenticated web app context maps to Exploitation for Privilege Escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-42368Shared CWE-266
CVE-2025-69293Shared CWE-266
CVE-2026-42680Shared CWE-266
CVE-2025-69378Shared CWE-266
CVE-2026-27102Shared CWE-266
CVE-2025-22736Shared CWE-266
CVE-2024-40591Shared CWE-266
CVE-2026-48879Shared CWE-266
CVE-2025-33179Shared CWE-266
CVE-2026-25414Shared CWE-266

Affected Assets

registration role project
registration role
≤ 2.0.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 requires timely identification, reporting, and correction of flaws, directly mitigating CVE-2024-13251 by patching the vulnerable Drupal Registration role module.

prevent

AC-6 enforces least privilege, preventing privilege escalation from incorrect privilege assignments in the Drupal Registration role module.

prevent

AC-2 establishes processes for managing accounts and privileges, countering incorrect privilege assignments that enable escalation in this CVE.

References