CVE-2024-36046
Published: 27 February 2025
Summary
CVE-2024-36046 is a critical-severity Improper Privilege Management (CWE-269) vulnerability in Infoblox Nios. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 49.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and CM-7 (Least Functionality).
Deeper analysis
CVE-2024-36046 is a critical vulnerability (CVSS score 9.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) affecting Infoblox NIOS through version 8.6.4. It stems from CWE-269 (Improper Privilege Management), where the software executes with more privileges than required, published on 2025-02-27.
A remote network attacker requires no privileges or user interaction and can exploit the issue with low complexity. Successful exploitation enables high-impact disruption to confidentiality, integrity, and availability, potentially allowing full system compromise.
The Infoblox advisory at https://support.infoblox.com/s/article/000010390 provides details on mitigation.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-53956
Vulnerability details
Infoblox NIOS through 8.6.4 executes with more privileges than required.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated exploitation of public-facing Infoblox NIOS service due to improper privilege management (CWE-269) directly enables T1190 and results in full system compromise via privilege escalation (T1068).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces the principle of least privilege, mitigating the core issue of software executing with excessive privileges as described in CWE-269.
Limits the system to essential functionality only, reducing the attack surface and necessity for elevated privileges that enable full system compromise.
Enforces approved authorizations for access to system resources, helping to contain the impact of processes running with improper privileges.