Cyber Resilience

CVE-2024-38337

Critical

Published: 19 January 2025

Published
19 January 2025
Modified
25 July 2025
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0011 29.4th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-38337 is a critical-severity Incorrect Permission Assignment for Critical Resource (CWE-732) vulnerability in Ibm Sterling Secure Proxy. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2024-38337 is a high-severity vulnerability (CVSS 9.1, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) affecting IBM Sterling Secure Proxy versions 6.0.0.0, 6.0.0.1, 6.0.0.2, 6.0.0.3, 6.1.0.0, and 6.2.0.0. The issue stems from incorrect permission assignments (CWE-732), which could enable an unauthorized attacker to retrieve or alter sensitive information contents.

The vulnerability is exploitable remotely over the network by an unauthenticated attacker (PR:N) with low attack complexity and no user interaction required. Successful exploitation would grant high-impact access to confidential data (C:H) and allow modifications to it (I:H), without affecting availability (A:N), potentially leading to data breaches or unauthorized changes in a proxy environment handling secure communications.

IBM has published a security advisory with details on mitigation and patches at https://www.ibm.com/support/pages/node/7179166. Security practitioners should review it for version-specific remediation steps.

EU & UK References

Vulnerability details

IBM Sterling Secure Proxy 6.0.0.0, 6.0.0.1, 6.0.0.2, 6.0.0.3, 6.1.0.0, and 6.2.0.0 could allow an unauthorized attacker to retrieve or alter sensitive information contents due to incorrect permission assignments.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Remote unauthenticated exploitation of public-facing proxy due to permission misconfiguration directly enables initial access and data access/modification.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-41783Same product: Ibm Aix
CVE-2026-8855Same product: Ibm Aix
CVE-2026-8834Same product: Ibm Aix
CVE-2024-41763Same product: Linux Linux Kernel
CVE-2024-41767Same product: Linux Linux Kernel
CVE-2024-52363Same product: Ibm Aix
CVE-2026-6052Same product: Ibm Aix
CVE-2026-6051Same product: Ibm Aix
CVE-2024-54171Same product: Linux Linux Kernel
CVE-2024-49781Same product: Linux Linux Kernel

Affected Assets

ibm
sterling secure proxy
6.1.0.0, 6.2.0.0 · 6.0.0.0 — 6.0.3.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces approved authorizations for access to sensitive information, mitigating unauthorized retrieval or alteration due to incorrect permission assignments in IBM Sterling Secure Proxy.

prevent

Implements least privilege to restrict permissions to only those necessary, preventing excessive access granted by incorrect assignments in the vulnerable proxy versions.

preventrecover

Requires timely identification, reporting, and correction of the specific flaw causing incorrect permission assignments in IBM Sterling Secure Proxy versions 6.0.0.0 through 6.2.0.0.

References