Cyber Resilience

CVE-2024-1509

High

Published: 28 February 2025

Published
28 February 2025
Modified
06 April 2026
KEV Added
Patch
CVSS Score v4 7.6 CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0034 25.9th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2024-1509 is a high-severity Unprotected Transport of Credentials (CWE-523) vulnerability in Broadcom Brocade Active Support Connectivity Gateway. Its CVSS base score is 7.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Adversary-in-the-Middle (T1557); ranked at the 25.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SC-8 (Transmission Confidentiality and Integrity).

Deeper analysis

CVE-2024-1509 is a high-severity vulnerability (CVSS 9.1, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) affecting the Brocade ASCG Web Interface in versions prior to 3.2.0. The issue stems from the web interface not enforcing HTTP Strict Transport Security (HSTS) as defined by RFC 6797. HSTS is an optional response header that instructs browsers to communicate only via HTTPS, and its absence exposes the interface to risks such as protocol downgrades and weakened security controls.

Attackers can exploit this vulnerability remotely over the network with low complexity, requiring no privileges or user interaction. A network-based adversary positioned for man-in-the-middle (MITM) attacks can perform SSL-stripping to downgrade HTTPS connections to HTTP, enabling traffic interception. This also facilitates downgrade attacks and reduces protections against cookie hijacking, potentially leading to high confidentiality and integrity impacts such as unauthorized access to sensitive data or session takeover.

The Broadcom security advisory recommends upgrading to Brocade ASCG version 3.2.0 or later to mitigate the vulnerability by enabling proper HSTS enforcement. Additional details are available in the advisory at https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25428. The issue is associated with CWE-523 (Insufficiently Protected Credentials).

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Brocade ASCG before 3.2.0 Web Interface is not enforcing HSTS, as defined by RFC 6797. HSTS is an optional response header that can be configured on the server to instruct the browser to only communicate via HTTPS. The lack of…

more

HSTS allows downgrade attacks, SSL-stripping man-in-the-middle attacks, and weakens cookie-hijacking protections.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1557 Adversary-in-the-Middle Credential Access
Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.
T1689 Downgrade Attack Defense Impairment
Adversaries may downgrade or use a version of system features that may be outdated, vulnerable, and/or does not support updated security controls.
Why these techniques?

Lack of HSTS directly enables SSL-stripping downgrade attacks and facilitates Adversary-in-the-Middle interception of web sessions.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-0869Same product: Broadcom Brocade Active Support Connectivity Gateway
CVE-2024-4282Same vendor: Broadcom
CVE-2025-58383Same vendor: Broadcom
CVE-2025-9711Same vendor: Broadcom
CVE-2024-2240Same vendor: Broadcom
CVE-2025-12774Same vendor: Broadcom
CVE-2024-5462Same vendor: Broadcom
CVE-2024-5461Same vendor: Broadcom
CVE-2026-0383Same vendor: Broadcom
CVE-2025-58382Same vendor: Broadcom

Affected Assets

broadcom
brocade active support connectivity gateway
≤ 3.1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SC-8 requires protection of transmission confidentiality and integrity, directly mitigated by HSTS enforcement to prevent SSL-stripping and protocol downgrade attacks.

prevent

CM-6 mandates secure configuration settings for web servers, including HSTS headers to ensure HTTPS-only communication and block downgrade vulnerabilities.

prevent

SI-2 flaw remediation addresses the vulnerability by requiring timely upgrade to Brocade ASCG 3.2.0 or later, which implements HSTS enforcement.

References