Cyber Resilience

CVE-2024-24421

CriticalPublic PoCRCE

Published: 21 January 2025

Published
21 January 2025
Modified
03 July 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0018 40.0th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-24421 is a critical-severity Code Injection (CWE-94) vulnerability in Linuxfoundation Magma. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 40.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2024-24421 is a type confusion vulnerability in the nas_message_decode function of Magma versions up to and including 1.8.0. Magma, an open-source platform for building access gateways and core networks in cellular deployments, is affected by this issue, which was published on 2025-01-21.

The vulnerability can be exploited remotely by unauthenticated attackers with low complexity and no user interaction, as reflected in its CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). By sending a crafted NAS packet, attackers can achieve arbitrary code execution or cause a denial of service. It is classified under CWE-94 (Code Injection).

The issue is fixed in Magma v1.9 via commit 08472ba98b8321f802e95f5622fa90fec2dea486. Additional details are available in the advisory at https://cellularsecurity.org/ransacked.

EU & UK References

Vulnerability details

A type confusion in the nas_message_decode function of Magma <= 1.8.0 (fixed in v1.9 commit 08472ba98b8321f802e95f5622fa90fec2dea486) allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via a crafted NAS packet.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Remote unauthenticated RCE via crafted NAS packet in publicly exposed cellular core component directly matches exploitation of public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-24417Same product: Linuxfoundation Magma
CVE-2024-24420Same product: Linuxfoundation Magma
CVE-2024-24423Same product: Linuxfoundation Magma
CVE-2024-24416Same product: Linuxfoundation Magma
CVE-2024-24422Same product: Linuxfoundation Magma
CVE-2024-24419Same product: Linuxfoundation Magma
CVE-2024-24418Same product: Linuxfoundation Magma
CVE-2023-37032Same product: Linuxfoundation Magma
CVE-2023-37029Same product: Linuxfoundation Magma
CVE-2026-25153Same vendor: Linuxfoundation

Affected Assets

linuxfoundation
magma
≤ 1.8.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the type confusion vulnerability in Magma's nas_message_decode function by identifying, prioritizing, and applying the fix from v1.9 commit 08472ba.

prevent

Validates the structure and content of incoming NAS packets to block crafted inputs that trigger the type confusion leading to code execution or DoS.

prevent

Implements memory protections like ASLR and DEP to prevent arbitrary code execution from the type confusion vulnerability even if exploited.

References