CVE-2024-28200
Published: 01 July 2024
Summary
CVE-2024-28200 is a critical-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability in N-Able N-Central. Its CVSS base score is 9.1 (Critical).
Operationally, ranked in the top 2.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
The vulnerability CVE-2024-28200 is an authentication bypass in the user interface of the N-central server, present in all deployments prior to version 2024.2. It is tracked under CWEs 288 and 287 and carries a CVSS 3.1 score of 9.1 reflecting network-accessible attack conditions with no required credentials or user interaction.
An unauthenticated remote attacker can exploit the flaw to bypass authentication controls on the N-central user interface, resulting in high impact to confidentiality and integrity while availability remains unaffected.
N-able's security advisory and the 2024.2 release notes direct customers to upgrade to N-central 2024.2 for remediation; the issue was identified through internal source-code review.
No exploitation in the wild has been observed by the vendor. The associated EPSS score reached a peak of 0.5606 before receding to its current value of 0.4995.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-25319
Vulnerability details
The N-central server is vulnerable to an authentication bypass of the user interface. This vulnerability is present in all deployments of N-central prior to 2024.2. This vulnerability was discovered through internal N-central source code review and N-able has not observed…
more
any exploitation in the wild.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Detects unauthorized successful logons resulting from improper authentication implementations.
Requires adaptive authentication under specific conditions, directly strengthening authentication mechanisms against improper or insufficient authentication.
Identity providers centralize and enforce authentication mechanisms, reducing improper authentication.
Mandates unique identification and authentication of non-organizational users, directly mitigating improper authentication.
Authorizing remote access reduces the ability to bypass authentication via unauthorized alternate remote channels.
Documented procedures ensure personnel are trained on authentication mechanisms, tangibly lowering the risk of improper authentication being exploited.
Security awareness training instructs users on secure authentication practices and avoiding credential compromise.
Training on authentication mechanisms and best practices decreases the occurrence of improper authentication.