CVE-2024-23733
Published: 29 January 2025
Summary
CVE-2024-23733 is a high-severity Insufficiently Protected Credentials (CWE-522) vulnerability. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 4.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and IA-5 (Authenticator Management).
Deeper analysis
The vulnerability is an information disclosure flaw in the Integration Server component of Software AG webMethods 10.15.0 prior to Core_Fix7. It resides in the /WmAdmin/ and /invoke/vm.server/login login pages, which fail to enforce proper authentication checks and thereby expose the administration panel.
Remote unauthenticated attackers can exploit the issue over the network by submitting an arbitrary username together with a blank password to the /WmAdmin/#/login/ URI. Successful requests grant access to the panel and allow retrieval of the target hostname and product version, corresponding to a CVSS 3.1 score of 7.5 under CWE-522.
The description indicates that Core_Fix7 addresses the exposure. Public references include a GitHub repository containing further technical details and a proof-of-concept.
The associated EPSS score reached a peak of 0.2497 (current value 0.1810), reflecting a material rise that signals increased exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-21189
Vulnerability details
The /WmAdmin/,/invoke/vm.server/login login page in the Integration Server in Software AG webMethods 10.15.0 before Core_Fix7 allows remote attackers to reach the administration panel and discover hostname and version information by sending an arbitrary username and a blank password to the…
more
/WmAdmin/#/login/ URI.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct exploitation of public-facing web app for unauth access (T1190); immediate post-exploit disclosure of hostname/version enables system info discovery (T1082).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Prohibits sensitive actions such as accessing the administration panel without identification or authentication, directly mitigating the blank password bypass that discloses hostname and version information.
Manages authenticators to require strong credentials and change defaults, preventing acceptance of blank passwords in the vulnerable login mechanism.
Requires timely remediation of flaws like the authentication bypass in webMethods Integration Server through patching to Core_Fix7 or later.