CVE-2024-36047
Published: 27 February 2025
Summary
CVE-2024-36047 is a critical-severity Improper Input Validation (CWE-20) vulnerability in Infoblox Nios. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 47.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2024-36047 is an Improper Input Validation vulnerability (CWE-20) in Infoblox NIOS versions through 8.6.4 and 9.x through 9.0.3. Published on 2025-02-27, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical due to its potential for severe impact.
The vulnerability can be exploited by any unauthenticated attacker with network access, requiring low complexity and no user interaction. Exploitation enables high-impact disruption to confidentiality, integrity, and availability, allowing remote code execution or full system compromise.
The Infoblox advisory at https://support.infoblox.com/s/article/000010391 provides details on mitigation, including available patches for affected NIOS versions.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-53955
Vulnerability details
Infoblox NIOS through 8.6.4 and 9.x through 9.0.3 has Improper Input Validation.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated network RCE via improper input validation on public-facing Infoblox NIOS appliance directly matches exploitation of public-facing applications.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 directly mandates validation of all user inputs to the system, comprehensively addressing the improper input validation (CWE-20) that enables RCE in this CVE.
SI-2 requires timely remediation of flaws, directly mitigating this CVE through application of available Infoblox patches to prevent exploitation.
RA-5 ensures regular vulnerability scanning to identify and prioritize input validation flaws like CVE-2024-36047 for remediation.