CVE-2024-13280

Critical

Published: 09 January 2025

Published

09 January 2025

Modified

02 September 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0017 38.2th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-13280 is a critical-severity Insufficient Session Expiration (CWE-613) vulnerability in Persistent Login Project Persistent Login. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Valid Accounts (T1078); ranked at the 38.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-12 (Session Termination) and AC-3 (Access Enforcement).

Threat & Defense at a Glance

What attackers do: exploitation maps to Valid Accounts (T1078) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-12 Session Termination good match

prevent

AC-12 mandates session termination mechanisms based on organizational requirements, directly addressing insufficient session expiration in the Drupal Persistent Login module exploited in CVE-2024-13280.

SI-2 Flaw Remediation good match

prevent

SI-2 requires timely identification, reporting, and correction of system flaws, enabling patching of the specific Persistent Login vulnerability as advised in Drupal SA-CONTRIB-2024-044.

AC-3 Access Enforcement good match

prevent

AC-3 enforces approved authorizations for logical access, mitigating forceful browsing attacks enabled by improperly persistent sessions in CVE-2024-13280.

MITRE ATT&CK Enterprise TechniquesAI

T1078 Valid Accounts Stealth

Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.

attack.mitre.org →

T1550.004 Web Session Cookie Lateral Movement

Adversaries can use stolen session cookies to authenticate to web applications and services.

attack.mitre.org →

Why these techniques?

The vulnerability enables continued access using stolen persistent login cookies (web session cookies) even after a user account is disabled, facilitating Valid Accounts (T1078) and Use Alternate Authentication Material: Web Session Cookie (T1550.004).

NVD Description

Insufficient Session Expiration vulnerability in Drupal Persistent Login allows Forceful Browsing.This issue affects Persistent Login: from 0.0.0 before 1.8.0, from 2.0.* before 2.2.2.

Deeper analysisAI

CVE-2024-13280 is an Insufficient Session Expiration vulnerability (CWE-613) in the Drupal Persistent Login module that allows Forceful Browsing. The issue affects Persistent Login versions from 0.0.0 before 1.8.0 and from 2.0.* before 2.2.2. Published on 2025-01-09, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical.

Remote attackers require no privileges, authentication, or user interaction to exploit this over the network with low complexity. Exploitation enables high-impact effects on confidentiality, integrity, and availability, such as unauthorized access through persistent sessions that fail to expire properly, potentially allowing session hijacking or forceful browsing to sensitive areas.

The Drupal security advisory SA-CONTRIB-2024-044 at https://www.drupal.org/sa-contrib-2024-044 provides details on mitigation, including patches for upgrading to Persistent Login 1.8.0 or 2.2.2.