Cyber Resilience

CVE-2024-1524

High

Published: 24 February 2026

Published
24 February 2026
Modified
03 March 2026
KEV Added
Patch
CVSS Score v3.1 7.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L
EPSS Score 0.0026 17.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2024-1524 is a high-severity Authentication Bypass by Spoofing (CWE-290) vulnerability in Wso2 Identity Server. Its CVSS base score is 7.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Account Manipulation (T1098); ranked at the 17.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and IA-13 (Identity Providers and Authorization Servers).

Deeper analysis

CVE-2024-1524 affects deployments using the "Silent Just-In-Time Provisioning" feature enabled for a federated identity provider (IDP), as detailed in WSO2 security advisories. The vulnerability arises during the account provisioning process, where a local user store's user information may be replaced if federated users share the same username as existing local users. There is no impact unless an IDP is configured for federated authentication with Silent JIT provisioning specifically enabled.

A malicious actor can exploit this vulnerability if they possess a fresh valid user account in the federated IDP that has not been used earlier, knowledge of a valid local IDP username, and control of a federated IDP account matching that targeted local username. Successful exploitation allows the actor to associate the targeted local user account with their controlled federated IDP account, replacing local user information. The CVSS score of 7.7 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L) reflects high confidentiality and integrity impacts with low availability impact, mapped to CWE-290.

The WSO2 security advisory provides details on mitigations at https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3144/.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

When the "Silent Just-In-Time Provisioning" feature is enabled for a federated identity provider (IDP) there is a risk that a local user store user's information may be replaced during the account provisioning process in cases where federated users share the…

more

same username as local users. There will be no impact on your deployment if any of the preconditions mentioned below are not met. Only when all the preconditions mentioned below are fulfilled could a malicious actor associate a targeted local user account with a federated IDP user account that they control. The Deployment should have: -An IDP configured for federated authentication with Silent JIT provisioning enabled. The malicious actor should have: -A fresh valid user account in the federated IDP that has not been used earlier. -Knowledge of the username of a valid user in the local IDP. -An account at the federated IDP matching the targeted local username.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1098 Account Manipulation Persistence
Adversaries may manipulate accounts to maintain and/or elevate access to victim systems.
T1078 Valid Accounts Stealth
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
Why these techniques?

Vulnerability enables account manipulation via silent JIT provisioning to hijack/overwrite local accounts with attacker-controlled federated ones, facilitating use of valid accounts.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-12107Same product: Wso2 Identity Server
CVE-2024-8010Same product: Wso2 Api Manager
CVE-2025-10908Same product: Wso2 Identity Server
CVE-2025-10470Same product: Wso2 Identity Server
CVE-2024-2374Same product: Wso2 Api Manager
CVE-2025-10713Same product: Wso2 Api Manager
CVE-2025-10907Same product: Wso2 Api Manager
CVE-2025-10611Same product: Wso2 Api Manager
CVE-2025-13590Same product: Wso2 Api Manager
CVE-2025-11093Same product: Wso2 Api Manager

Affected Assets

wso2
api manager
4.2.0 — 4.2.0.108
wso2
identity server
6.0.0 — 6.0.0.171 · 6.1.0 — 6.1.0.128

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-2 Account Management establishes procedures for account provisioning that prevent unauthorized replacement of local user information by federated accounts sharing usernames.

prevent

IA-4 Identifier Management ensures unique usernames across local and federated stores, directly mitigating collision-based account overwrites.

prevent

IA-13 Identity Providers and Authorization Servers enforces requirements on federated IDPs to avoid risks like Silent JIT provisioning overwriting local accounts.

References