CVE-2024-39327
Published: 18 February 2025
Summary
CVE-2024-39327 is a critical-severity Improper Access Control (CWE-284) vulnerability in Eviden IDRA (inferred from references). Its CVSS base score is 9.9 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 23.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
CVE-2024-39327 is an Incorrect Access Control vulnerability (CWE-284) in Atos Eviden IDRA versions before 2.6.1. The issue enables the possibility of obtaining CA signing capabilities in an illegitimate way, earning a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). Published on 2025-02-18, it affects the IDRA component used in digital identity and PKI environments.
A low-privileged remote attacker (PR:L) can exploit this over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). Exploitation changes scope (S:C) and results in high impacts across confidentiality, integrity, and availability (C:I:A:H), allowing illegitimate CA signing that could lead to privilege escalation, certificate forgery, or broader system compromise.
Advisories recommend updating to Atos Eviden IDRA 2.6.1 or later for mitigation. Relevant guidance appears in the Eviden digital identity solutions page at https://eviden.com/solutions/digital-security/digital-identity/ and Bull PSIRT bulletin PSIRT-1335 (TLP:CLEAR v2.10) at https://support.bull.com/ols/product/security/psirt/security-bulletins/potential-privilege-escalation-in-idpki-psirt-1335-tlp-clear-version-2-10-cve-2024-39327-cve-2024-39328-cve-2024-51505/view, which addresses this CVE alongside CVE-2024-39328 and CVE-2024-51505 in the IDPKI context.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-4795
Vulnerability details
Incorrect Access Control vulnerability in Atos Eviden IDRA before 2.6.1 could allow the possibility to obtain CA signing in an illegitimate way.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Incorrect access control (CWE-284) in a network-accessible IDRA/PKI component directly enables remote exploitation (T1190) by low-privileged attackers and results in unauthorized CA signing that facilitates privilege escalation (T1068).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces approved authorizations for access to sensitive CA signing functions, preventing low-privileged attackers from obtaining illegitimate signing capabilities.
Applies least privilege to restrict CA signing operations to only authorized high-privilege accounts, blocking exploitation by low-privileged remote users.
Establishes rigorous controls for PKI certificate issuance and management under CA direction, mitigating illegitimate CA signing in IDRA PKI environments.