Cyber Resilience

CVE-2024-26566

High

Published: 07 March 2024

Published
07 March 2024
Modified
30 April 2025
KEV Added
Patch
CVSS Score v3.1 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
EPSS Score 0.0026 49.9th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-26566 is a high-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability in Iscute Cute Http File Server. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 49.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

An issue in Cute Http File Server v.3.1 allows a remote attacker to escalate privileges via the password verification component.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

CVE-2024-26566 enables remote privilege escalation via flawed password verification in a public-facing HTTP file server, facilitating T1190 (Exploit Public-Facing Application) for initial access and T1068 (Exploitation for Privilege Escalation).

Affected Assets

iscute
cute http file server
3.1

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-288

Authorizing remote access reduces the ability to bypass authentication via unauthorized alternate remote channels.

addresses: CWE-288

Users can identify logons via alternate paths or channels by reviewing the previous logon time.

addresses: CWE-288

Adaptive requirements can apply across access paths, reducing the ability to bypass authentication via alternate channels or paths.

addresses: CWE-288

Centralized IdPs close alternate authentication paths that enable bypass.

addresses: CWE-288

Enforces authentication for non-organizational users, making it harder to bypass via alternate paths or channels.

addresses: CWE-288

Requires authentication to occur exclusively over the isolated trusted path, directly preventing bypass via alternate or untrusted channels.

References