Cyber Posture

CVE-2024-38291

High

Published: 27 February 2025

Published
27 February 2025
Modified
11 July 2025
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0023 45.4th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-38291 is a high-severity Improper Access Control (CWE-284) vulnerability in Extremenetworks Xiq-Se. Its CVSS base score is 8.8 (High).

Operationally, ranked at the 45.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-5 (Authenticator Management).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match
prevent

Enforces approved authorizations to prevent low-privileged users from accessing admin passwords in XIQ-SE.

IA-5 Authenticator Management good match
prevent

Protects authenticators such as admin passwords from unauthorized disclosure and improper access by low-privileged users.

AC-6 Least Privilege partial match
prevent

Limits user privileges to the minimum necessary, reducing the impact of privilege escalation via accessed admin passwords.

NVD Description

In XIQ-SE before 24.2.11, a low-privileged user may be able to access admin passwords, which could lead to privilege escalation.

Deeper analysisAI

CVE-2024-38291 is a vulnerability in XIQ-SE versions prior to 24.2.11 that allows a low-privileged user to access admin passwords, potentially enabling privilege escalation. The issue stems from improper access control (CWE-284) and insufficiently protected credentials (CWE-522), earning a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A low-privileged user with network access can exploit the vulnerability with low attack complexity and without requiring user interaction. Exploitation provides high-impact access to admin passwords, allowing the attacker to escalate privileges and potentially compromise confidentiality, integrity, and availability of the system.

Extreme Networks security advisory SA-2024-105 details the unauthorized access to user credentials in XIQ-SE and provides guidance on the issue, available at https://community.extremenetworks.com/t5/security-advisories-formerly/sa-2024-105-xiq-se-unauthorized-access-to-user-credentials-cve/ba-p/116363. Mitigation requires updating to XIQ-SE version 24.2.11 or later.

Details

CWE(s)
CWE-284CWE-522

Affected Products

extremenetworks
xiq-se
≤ 24.2.11

CVEs Like This One

CVE-2024-38292Same product: Extremenetworks Xiq-Se
CVE-2026-35185Shared CWE-284, CWE-522
CVE-2026-22043Shared CWE-284, CWE-522
CVE-2025-25950Shared CWE-284
CVE-2026-5786Shared CWE-284
CVE-2025-58130Shared CWE-522
CVE-2026-32768Shared CWE-284
CVE-2026-33109Shared CWE-284
CVE-2025-24968Shared CWE-284
CVE-2026-33575Shared CWE-522

References