CVE-2024-23733

High

Published: 29 January 2025

Published

29 January 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Score 0.1810 95.2th percentile

Risk Priority 26 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-23733 is a high-severity Insufficiently Protected Credentials (CWE-522) vulnerability. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 4.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and IA-5 (Authenticator Management).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-14 Permitted Actions Without Identification or Authentication good match

prevent

Prohibits sensitive actions such as accessing the administration panel without identification or authentication, directly mitigating the blank password bypass that discloses hostname and version information.

IA-5 Authenticator Management good match

prevent

Manages authenticators to require strong credentials and change defaults, preventing acceptance of blank passwords in the vulnerable login mechanism.

SI-2 Flaw Remediation good match

prevent

Requires timely remediation of flaws like the authentication bypass in webMethods Integration Server through patching to Core_Fix7 or later.

NVD Description

The /WmAdmin/,/invoke/vm.server/login login page in the Integration Server in Software AG webMethods 10.15.0 before Core_Fix7 allows remote attackers to reach the administration panel and discover hostname and version information by sending an arbitrary username and a blank password to the…

/WmAdmin/#/login/ URI.

Deeper analysisAI

CVE-2024-23733 is an information disclosure vulnerability in the Integration Server component of Software AG webMethods version 10.15.0 prior to Core_Fix7. Specifically, the /WmAdmin/ and /invoke/vm.server/login pages allow remote attackers to bypass authentication restrictions on the administration panel. By submitting an arbitrary username paired with a blank password to the /WmAdmin/#/login/ URI, attackers can access the panel and retrieve sensitive details including the server's hostname and version information. The flaw is mapped to CWE-522 (Insufficiently Protected Credentials) and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with no impairment to integrity or availability.

Unauthenticated remote attackers can exploit this vulnerability over the network with low attack complexity and no user interaction required. Exploitation simply involves sending a crafted login request to the vulnerable URI, granting immediate access to the administration interface where hostname and version data are exposed. This reconnaissance enables attackers to map the target's environment, potentially aiding in subsequent exploits tailored to the discovered software version or infrastructure details.

The vulnerability is mitigated by upgrading to Core_Fix7 or later in Software AG webMethods 10.15.0. Further technical details, including a proof-of-concept, are documented in the GitHub repository at https://github.com/ekcrsm/CVE-2024-23733/tree/main.

Details

CWE(s): CWE-522

CVEs Like This One

CVE-2025-69271Shared CWE-522

CVE-2026-23658Shared CWE-522

CVE-2025-25650Shared CWE-522

CVE-2025-27650Shared CWE-522

CVE-2025-54863Shared CWE-522

CVE-2025-26492Shared CWE-522

CVE-2026-21670Shared CWE-522

CVE-2025-36568Shared CWE-522

CVE-2025-58130Shared CWE-522

CVE-2026-35467Shared CWE-522

References

https://github.com/ekcrsm/CVE-2024-23733/tree/main
cve@mitre.org