CVE-2024-38337

Critical

Published: 19 January 2025

Published

19 January 2025

Modified

25 July 2025

KEV Added

—

Patch

—

CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS Score 0.0011 28.6th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-38337 is a critical-severity Incorrect Permission Assignment for Critical Resource (CWE-732) vulnerability in Ibm Sterling Secure Proxy. Its CVSS base score is 9.1 (Critical).

Operationally, ranked at the 28.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Directly enforces approved authorizations for access to sensitive information, mitigating unauthorized retrieval or alteration due to incorrect permission assignments in IBM Sterling Secure Proxy.

AC-6 Least Privilege good match

prevent

Implements least privilege to restrict permissions to only those necessary, preventing excessive access granted by incorrect assignments in the vulnerable proxy versions.

SI-2 Flaw Remediation good match

preventrecover

Requires timely identification, reporting, and correction of the specific flaw causing incorrect permission assignments in IBM Sterling Secure Proxy versions 6.0.0.0 through 6.2.0.0.

NVD Description

IBM Sterling Secure Proxy 6.0.0.0, 6.0.0.1, 6.0.0.2, 6.0.0.3, 6.1.0.0, and 6.2.0.0 could allow an unauthorized attacker to retrieve or alter sensitive information contents due to incorrect permission assignments.

Deeper analysisAI

CVE-2024-38337 is a high-severity vulnerability (CVSS 9.1, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) affecting IBM Sterling Secure Proxy versions 6.0.0.0, 6.0.0.1, 6.0.0.2, 6.0.0.3, 6.1.0.0, and 6.2.0.0. The issue stems from incorrect permission assignments (CWE-732), which could enable an unauthorized attacker to retrieve or alter sensitive information contents.

The vulnerability is exploitable remotely over the network by an unauthenticated attacker (PR:N) with low attack complexity and no user interaction required. Successful exploitation would grant high-impact access to confidential data (C:H) and allow modifications to it (I:H), without affecting availability (A:N), potentially leading to data breaches or unauthorized changes in a proxy environment handling secure communications.

IBM has published a security advisory with details on mitigation and patches at https://www.ibm.com/support/pages/node/7179166. Security practitioners should review it for version-specific remediation steps.

Details

CWE(s): CWE-732

Affected Products

ibm

sterling secure proxy

6.1.0.0, 6.2.0.0 · 6.0.0.0 — 6.0.3.1

CVEs Like This One

CVE-2024-41783Same product: Ibm Aix

CVE-2025-36258Same product: Ibm Aix

CVE-2025-13855Same product: Ibm Aix

CVE-2024-7577Same product: Ibm Aix

CVE-2025-14974Same product: Ibm Aix

CVE-2024-52363Same product: Ibm Aix

CVE-2024-51459Same product: Ibm Aix

CVE-2025-33088Same product: Linux Linux Kernel

CVE-2024-49779Same product: Linux Linux Kernel

CVE-2024-49781Same product: Linux Linux Kernel

References

https://www.ibm.com/support/pages/node/7179166
Vendor Advisory · psirt@us.ibm.com