Cyber Resilience

CVE-2024-39327

Critical

Published: 18 February 2025

Published
18 February 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0008 23.6th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-39327 is a critical-severity Improper Access Control (CWE-284) vulnerability in Eviden IDRA (inferred from references). Its CVSS base score is 9.9 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 23.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2024-39327 is an Incorrect Access Control vulnerability (CWE-284) in Atos Eviden IDRA versions before 2.6.1. The issue enables the possibility of obtaining CA signing capabilities in an illegitimate way, earning a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). Published on 2025-02-18, it affects the IDRA component used in digital identity and PKI environments.

A low-privileged remote attacker (PR:L) can exploit this over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). Exploitation changes scope (S:C) and results in high impacts across confidentiality, integrity, and availability (C:I:A:H), allowing illegitimate CA signing that could lead to privilege escalation, certificate forgery, or broader system compromise.

Advisories recommend updating to Atos Eviden IDRA 2.6.1 or later for mitigation. Relevant guidance appears in the Eviden digital identity solutions page at https://eviden.com/solutions/digital-security/digital-identity/ and Bull PSIRT bulletin PSIRT-1335 (TLP:CLEAR v2.10) at https://support.bull.com/ols/product/security/psirt/security-bulletins/potential-privilege-escalation-in-idpki-psirt-1335-tlp-clear-version-2-10-cve-2024-39327-cve-2024-39328-cve-2024-51505/view, which addresses this CVE alongside CVE-2024-39328 and CVE-2024-51505 in the IDPKI context.

EU & UK References

Vulnerability details

Incorrect Access Control vulnerability in Atos Eviden IDRA before 2.6.1 could allow the possibility to obtain CA signing in an illegitimate way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Incorrect access control (CWE-284) in a network-accessible IDRA/PKI component directly enables remote exploitation (T1190) by low-privileged attackers and results in unauthorized CA signing that facilitates privilege escalation (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-29315Shared CWE-284
CVE-2025-55261Shared CWE-284
CVE-2026-21636Shared CWE-284
CVE-2025-57130Shared CWE-284
CVE-2024-53348Shared CWE-284
CVE-2025-20229Shared CWE-284
CVE-2026-24300Shared CWE-284
CVE-2026-20750Shared CWE-284
CVE-2025-2280Shared CWE-284
CVE-2025-70064Shared CWE-284

Affected Assets

Eviden
IDRA
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces approved authorizations for access to sensitive CA signing functions, preventing low-privileged attackers from obtaining illegitimate signing capabilities.

prevent

Applies least privilege to restrict CA signing operations to only authorized high-privilege accounts, blocking exploitation by low-privileged remote users.

prevent

Establishes rigorous controls for PKI certificate issuance and management under CA direction, mitigating illegitimate CA signing in IDRA PKI environments.

References