CVE-2024-30150

Medium

Published: 25 February 2025

Published

25 February 2025

Modified

09 January 2026

KEV Added

—

Patch

—

CVSS Score 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS Score 0.0038 59.3th percentile

Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-30150 is a medium-severity Improper Privilege Management (CWE-269) vulnerability in Hcltech Dryice Mycloud. Its CVSS base score is 5.3 (Medium).

Operationally, ranked in the top 40.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Enforces approved access authorizations, directly preventing unauthenticated privilege escalation and improper access control exploitation.

AC-6 Least Privilege good match

prevent

Implements least privilege to restrict unauthorized escalations and limit impact of access control flaws leading to disclosure or SSRF.

AC-14 Permitted Actions Without Identification or Authentication good match

prevent

Explicitly authorizes and limits actions performable without identification or authentication, countering the unauthenticated access vulnerability.

NVD Description

HCL MyCloud is affected by Improper Access Control - an unauthenticated privilege escalation vulnerability which may lead to information disclosure and potential for Server-Side Request Forgery (SSRF) and Denial of Service(DOS) attacks from unauthenticated users.

Deeper analysisAI

CVE-2024-30150 is an improper access control vulnerability in HCL MyCloud, manifesting as an unauthenticated privilege escalation issue. This flaw allows unauthorized access that may result in information disclosure, as well as potential server-side request forgery (SSRF) and denial-of-service (DoS) attacks. The vulnerability is rated with a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) and is associated with CWE-269 (Improper Privilege Management) and CWE-918 (Server-Side Request Forgery).

Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity and no user interaction required. Successful exploitation enables information disclosure of sensitive data and opens the door to SSRF for further internal network reconnaissance or abuse, along with potential DoS disruptions, all from external, privilege-less positions.

The HCL Software support advisory at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0119368 provides details on mitigation and patching instructions for affected HCL MyCloud deployments.

Details

CWE(s): CWE-269 CWE-918

Affected Products

hcltech

dryice mycloud

10.8.1

CVEs Like This One

CVE-2024-42168Same vendor: Hcltech

CVE-2025-52631Same vendor: Hcltech

CVE-2025-52626Same vendor: Hcltech

CVE-2025-55270Same vendor: Hcltech

CVE-2025-55261Same vendor: Hcltech

CVE-2025-55263Same vendor: Hcltech

CVE-2025-52636Same vendor: Hcltech

CVE-2024-42176Same vendor: Hcltech

CVE-2025-55267Same vendor: Hcltech

CVE-2024-42180Same vendor: Hcltech

References

https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0119368
Vendor Advisory · psirt@hcl.com