Cyber Resilience

CVE-2024-30150

Medium

Published: 25 February 2025

Published
25 February 2025
Modified
09 January 2026
KEV Added
Patch
CVSS Score v3.1 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS Score 0.0038 59.7th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-30150 is a medium-severity Improper Privilege Management (CWE-269) vulnerability in Hcltech Dryice Mycloud. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 40.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2024-30150 is an improper access control vulnerability in HCL MyCloud, manifesting as an unauthenticated privilege escalation issue. This flaw allows unauthorized access that may result in information disclosure, as well as potential server-side request forgery (SSRF) and denial-of-service (DoS) attacks. The vulnerability is rated with a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) and is associated with CWE-269 (Improper Privilege Management) and CWE-918 (Server-Side Request Forgery).

Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity and no user interaction required. Successful exploitation enables information disclosure of sensitive data and opens the door to SSRF for further internal network reconnaissance or abuse, along with potential DoS disruptions, all from external, privilege-less positions.

The HCL Software support advisory at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0119368 provides details on mitigation and patching instructions for affected HCL MyCloud deployments.

EU & UK References

Vulnerability details

HCL MyCloud is affected by Improper Access Control - an unauthenticated privilege escalation vulnerability which may lead to information disclosure and potential for Server-Side Request Forgery (SSRF) and Denial of Service(DOS) attacks from unauthenticated users.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Direct unauthenticated remote exploitation of public-facing web app (T1190) resulting in privilege escalation (T1068) with info disclosure/SSRF/DoS impact.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-55261Same vendor: Hcltech
CVE-2024-42168Same vendor: Hcltech
CVE-2025-55271Same vendor: Hcltech
CVE-2025-62319Same vendor: Hcltech
CVE-2025-31958Same vendor: Hcltech
CVE-2024-42175Same vendor: Hcltech
CVE-2024-42172Same vendor: Hcltech
CVE-2025-55262Same vendor: Hcltech
CVE-2025-52628Same vendor: Hcltech
CVE-2024-42169Same vendor: Hcltech

Affected Assets

hcltech
dryice mycloud
10.8.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved access authorizations, directly preventing unauthenticated privilege escalation and improper access control exploitation.

prevent

Implements least privilege to restrict unauthorized escalations and limit impact of access control flaws leading to disclosure or SSRF.

prevent

Explicitly authorizes and limits actions performable without identification or authentication, countering the unauthenticated access vulnerability.

References