CVE-2024-1509

Critical

Published: 28 February 2025

Published

28 February 2025

Modified

06 April 2026

KEV Added

—

Patch

—

CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS Score 0.0009 24.8th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-1509 is a critical-severity Unprotected Transport of Credentials (CWE-523) vulnerability in Broadcom Brocade Active Support Connectivity Gateway. Its CVSS base score is 9.1 (Critical).

Operationally, ranked at the 24.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SC-8 (Transmission Confidentiality and Integrity).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SC-8 Transmission Confidentiality and Integrity good match

prevent

SC-8 requires protection of transmission confidentiality and integrity, directly mitigated by HSTS enforcement to prevent SSL-stripping and protocol downgrade attacks.

CM-6 Configuration Settings good match

prevent

CM-6 mandates secure configuration settings for web servers, including HSTS headers to ensure HTTPS-only communication and block downgrade vulnerabilities.

SI-2 Flaw Remediation good match

prevent

SI-2 flaw remediation addresses the vulnerability by requiring timely upgrade to Brocade ASCG 3.2.0 or later, which implements HSTS enforcement.

NVD Description

Brocade ASCG before 3.2.0 Web Interface is not enforcing HSTS, as defined by RFC 6797. HSTS is an optional response header that can be configured on the server to instruct the browser to only communicate via HTTPS. The lack of…

HSTS allows downgrade attacks, SSL-stripping man-in-the-middle attacks, and weakens cookie-hijacking protections.

Deeper analysisAI

CVE-2024-1509 is a high-severity vulnerability (CVSS 9.1, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) affecting the Brocade ASCG Web Interface in versions prior to 3.2.0. The issue stems from the web interface not enforcing HTTP Strict Transport Security (HSTS) as defined by RFC 6797. HSTS is an optional response header that instructs browsers to communicate only via HTTPS, and its absence exposes the interface to risks such as protocol downgrades and weakened security controls.

Attackers can exploit this vulnerability remotely over the network with low complexity, requiring no privileges or user interaction. A network-based adversary positioned for man-in-the-middle (MITM) attacks can perform SSL-stripping to downgrade HTTPS connections to HTTP, enabling traffic interception. This also facilitates downgrade attacks and reduces protections against cookie hijacking, potentially leading to high confidentiality and integrity impacts such as unauthorized access to sensitive data or session takeover.

The Broadcom security advisory recommends upgrading to Brocade ASCG version 3.2.0 or later to mitigate the vulnerability by enabling proper HSTS enforcement. Additional details are available in the advisory at https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25428. The issue is associated with CWE-523 (Insufficiently Protected Credentials).

Details

CWE(s): CWE-523

Affected Products

broadcom

brocade active support connectivity gateway

≤ 3.1.0

CVEs Like This One

CVE-2026-0869Same product: Broadcom Brocade Active Support Connectivity Gateway

CVE-2024-2240Same vendor: Broadcom

CVE-2025-58383Same vendor: Broadcom

CVE-2026-0383Same vendor: Broadcom

CVE-2025-58382Same vendor: Broadcom

CVE-2025-9711Same vendor: Broadcom

CVE-2024-5461Same vendor: Broadcom

CVE-2024-4282Same vendor: Broadcom

CVE-2024-5462Same vendor: Broadcom

CVE-2025-12774Same vendor: Broadcom

References

https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25428
Vendor Advisory · sirt@brocade.com