CVE-2024-30150
Published: 25 February 2025
Summary
CVE-2024-30150 is a medium-severity Improper Privilege Management (CWE-269) vulnerability in Hcltech Dryice Mycloud. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 40.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Deeper analysis
CVE-2024-30150 is an improper access control vulnerability in HCL MyCloud, manifesting as an unauthenticated privilege escalation issue. This flaw allows unauthorized access that may result in information disclosure, as well as potential server-side request forgery (SSRF) and denial-of-service (DoS) attacks. The vulnerability is rated with a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) and is associated with CWE-269 (Improper Privilege Management) and CWE-918 (Server-Side Request Forgery).
Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity and no user interaction required. Successful exploitation enables information disclosure of sensitive data and opens the door to SSRF for further internal network reconnaissance or abuse, along with potential DoS disruptions, all from external, privilege-less positions.
The HCL Software support advisory at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0119368 provides details on mitigation and patching instructions for affected HCL MyCloud deployments.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-28086
Vulnerability details
HCL MyCloud is affected by Improper Access Control - an unauthenticated privilege escalation vulnerability which may lead to information disclosure and potential for Server-Side Request Forgery (SSRF) and Denial of Service(DOS) attacks from unauthenticated users.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct unauthenticated remote exploitation of public-facing web app (T1190) resulting in privilege escalation (T1068) with info disclosure/SSRF/DoS impact.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces approved access authorizations, directly preventing unauthenticated privilege escalation and improper access control exploitation.
Implements least privilege to restrict unauthorized escalations and limit impact of access control flaws leading to disclosure or SSRF.
Explicitly authorizes and limits actions performable without identification or authentication, countering the unauthenticated access vulnerability.