CVE-2024-1509
Published: 28 February 2025
Summary
CVE-2024-1509 is a high-severity Unprotected Transport of Credentials (CWE-523) vulnerability in Broadcom Brocade Active Support Connectivity Gateway. Its CVSS base score is 7.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Adversary-in-the-Middle (T1557); ranked at the 25.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SC-8 (Transmission Confidentiality and Integrity).
Deeper analysis
CVE-2024-1509 is a high-severity vulnerability (CVSS 9.1, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) affecting the Brocade ASCG Web Interface in versions prior to 3.2.0. The issue stems from the web interface not enforcing HTTP Strict Transport Security (HSTS) as defined by RFC 6797. HSTS is an optional response header that instructs browsers to communicate only via HTTPS, and its absence exposes the interface to risks such as protocol downgrades and weakened security controls.
Attackers can exploit this vulnerability remotely over the network with low complexity, requiring no privileges or user interaction. A network-based adversary positioned for man-in-the-middle (MITM) attacks can perform SSL-stripping to downgrade HTTPS connections to HTTP, enabling traffic interception. This also facilitates downgrade attacks and reduces protections against cookie hijacking, potentially leading to high confidentiality and integrity impacts such as unauthorized access to sensitive data or session takeover.
The Broadcom security advisory recommends upgrading to Brocade ASCG version 3.2.0 or later to mitigate the vulnerability by enabling proper HSTS enforcement. Additional details are available in the advisory at https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25428. The issue is associated with CWE-523 (Insufficiently Protected Credentials).
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-17257
Vulnerability details
Brocade ASCG before 3.2.0 Web Interface is not enforcing HSTS, as defined by RFC 6797. HSTS is an optional response header that can be configured on the server to instruct the browser to only communicate via HTTPS. The lack of…
more
HSTS allows downgrade attacks, SSL-stripping man-in-the-middle attacks, and weakens cookie-hijacking protections.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Lack of HSTS directly enables SSL-stripping downgrade attacks and facilitates Adversary-in-the-Middle interception of web sessions.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SC-8 requires protection of transmission confidentiality and integrity, directly mitigated by HSTS enforcement to prevent SSL-stripping and protocol downgrade attacks.
CM-6 mandates secure configuration settings for web servers, including HSTS headers to ensure HTTPS-only communication and block downgrade vulnerabilities.
SI-2 flaw remediation addresses the vulnerability by requiring timely upgrade to Brocade ASCG 3.2.0 or later, which implements HSTS enforcement.