Cyber Resilience

CVE-2024-27348

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 22 April 2024

Published
22 April 2024
Modified
23 October 2025
KEV Added
18 September 2024
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9434 100.0th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-27348 is a critical-severity Improper Access Control (CWE-284) vulnerability in Apache Hugegraph. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

Apache HugeGraph-Server versions 1.0.0 through 1.2.x on Java 8 or Java 11 are affected by CVE-2024-27348, a remote command execution vulnerability with a CVSS 3.1 score of 9.8. The issue is associated with CWE-284 and an NVD-CWE-noinfo entry, indicating improper access control that permits unauthenticated command execution over the network.

An attacker with no credentials and only network reachability can invoke the vulnerable endpoints to run arbitrary commands on the underlying host, achieving full control over confidentiality, integrity, and availability of the graph database server.

Apache advisories direct users to upgrade to 1.3.0 on Java 11 and to enable the built-in authentication system; configuration guidance for authentication is provided in the project documentation, and the fix is referenced in the April 2024 oss-security and Apache mailing-list announcements.

The EPSS score currently stands at 0.9434 with a recorded peak of 0.9656.

EU & UK References

Vulnerability details

RCE-Remote Command Execution vulnerability in Apache HugeGraph-Server.This issue affects Apache HugeGraph-Server: from 1.0.0 before 1.3.0 in Java8 & Java11 Users are recommended to upgrade to version 1.3.0 with Java11 & enable the Auth system, which fixes the issue.

CWE(s)
KEV Date Added
18 September 2024

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apache
hugegraph
1.0.0 — 1.3.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authentication before allowing any requests, blocking the unauthenticated RCE path described in CVE-2024-27348.

prevent

Requires timely application of the vendor patch (upgrade to 1.3.0 on Java 11) that eliminates the underlying flaw.

prevent

Mandates identification and authentication of users before granting access, directly supporting the advisory's requirement to enable the HugeGraph Auth system.

References