Cyber Posture

CVE-2024-38320

Medium

Published: 27 January 2025

Published
27 January 2025
Modified
18 August 2025
KEV Added
Patch
CVSS Score 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0006 19.7th percentile
Risk Priority 12 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-38320 is a medium-severity Use of a Broken or Risky Cryptographic Algorithm (CWE-327) vulnerability in Linux Linux Kernel. Its CVSS base score is 5.9 (Medium).

Operationally, ranked at the 19.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-13 (Cryptographic Protection) and SC-28 (Protection of Information at Rest).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SC-13 Cryptographic Protection good match
prevent

Directly mandates FIPS-validated cryptographic mechanisms to prevent decryption of sensitive information protected by weak algorithms as in CVE-2024-38320.

SI-2 Flaw Remediation good match
prevent

Requires timely identification, reporting, and correction of system flaws like CVE-2024-38320 through patching weak cryptographic implementations.

SC-28 Protection of Information at Rest good match
prevent

Implements cryptographic mechanisms to protect confidentiality of sensitive backup data at rest, directly countering weak algorithm vulnerabilities in storage protect software.

NVD Description

IBM Storage Protect for Virtual Environments: Data Protection for VMware and Storage Protect Backup-Archive Client 8.1.0.0 through 8.1.23.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.

Deeper analysisAI

CVE-2024-38320 is a cryptographic weakness (CWE-327) in IBM Storage Protect for Virtual Environments: Data Protection for VMware and Storage Protect Backup-Archive Client, affecting versions 8.1.0.0 through 8.1.23.0. These components use weaker than expected cryptographic algorithms, potentially enabling an attacker to decrypt highly sensitive information. The vulnerability carries a CVSS v3.1 base score of 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating medium severity primarily due to high confidentiality impact.

An unauthenticated attacker (PR:N) can exploit this over the network (AV:N) without user interaction (UI:N), though it requires high attack complexity (AC:H). Exploitation yields high confidentiality impact (C:H), allowing decryption of sensitive data, with no effects on integrity, availability, or scope change.

IBM has published security bulletins detailing mitigations and patches at https://www.ibm.com/support/pages/node/7173462 and https://www.ibm.com/support/pages/node/7173465. Security practitioners should review these for upgrade instructions to address the weak algorithms.

Details

CWE(s)
CWE-327

Affected Products

ibm
storage protect for virtual environments
8.1.0.0 — 8.1.24.0
ibm
storage protect
8.1.0.0 — 8.1.24.0

CVEs Like This One

CVE-2025-13916Same product: Linux Linux Kernel
CVE-2024-41763Same product: Linux Linux Kernel
CVE-2026-3598Same product: Apple Macos
CVE-2025-14917Same product: Apple Macos
CVE-2025-14915Same product: Apple Macos
CVE-2024-43178Same product: Linux Linux Kernel
CVE-2024-45643Same product: Linux Linux Kernel
CVE-2026-30791Same product: Apple Macos
CVE-2025-58743Same product: Microsoft Windows
CVE-2026-21218Same product: Apple Macos

References