Cyber Resilience

CVE-2024-2466

MediumPublic PoC

Published: 27 March 2024

Published
27 March 2024
Modified
30 July 2025
KEV Added
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
EPSS Score 0.0015 35.2th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-2466 is a medium-severity Improper Validation of Certificate with Host Mismatch (CWE-297) vulnerability in Apple Macos. Its CVSS base score is 6.5 (Medium).

Operationally, ranked at the 35.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

EU & UK References

Vulnerability details

libcurl did not check the server certificate of TLS connections done to a host specified as an IP address, when built to use mbedTLS. libcurl would wrongly avoid using the set hostname function when the specified hostname was given as…

more

an IP address, therefore completely skipping the certificate check. This affects all uses of TLS protocols (HTTPS, FTPS, IMAPS, POPS3, SMTPS, etc).

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

haxx
curl
8.5.0 — 8.7.0
apple
macos
≤ 12.7.6 · 13.0 — 13.6.8 · 14.0 — 14.6
netapp
h700s firmware
all versions
netapp
bootstrap os
all versions
netapp
h300s firmware
all versions
netapp
h410s firmware
all versions
netapp
h500s firmware
all versions

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-297

Approved PKI issuance and trust stores enforce full certificate validation steps including name/hostname checks.

References