CVE-2024-39864
Published: 05 July 2024
Summary
CVE-2024-39864 is a critical-severity Code Injection (CWE-94) vulnerability in Apache Cloudstack. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 14.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2024-39864 affects the integration API service in Apache CloudStack. This service is intended to run unauthenticated on a configurable port for internal portal integrations or testing when the integration.api.port global setting is enabled. Due to improper initialization logic, setting the port value to its default of 0 causes the service to bind to a random port rather than remaining disabled, exposing an unintended listener on management hosts.
An attacker with network access to the CloudStack management segment can scan for the randomized port and reach the unauthenticated API. Successful exploitation permits unauthorized administrative operations that lead to remote code execution on CloudStack-managed hosts, resulting in complete compromise of confidentiality, integrity, and availability of the infrastructure. The vulnerability carries a CVSS 3.1 score of 9.8 and is associated with CWE-94 and CWE-665.
Public advisories from the Apache CloudStack project and downstream vendors recommend restricting network access to management server hosts to only essential ports and upgrading to version 4.18.2.1, 4.19.0.2, or later to correct the initialization flaw.
The EPSS score rose from a low baseline to a peak of 0.0537 on 2025-12-11 before receding to the current value of 0.0239.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-38269
Vulnerability details
The CloudStack integration API service allows running its unauthenticated API server (usually on port 8096 when configured and enabled via integration.api.port global setting) for internal portal integrations and for testing purposes. By default, the integration API service port is disabled…
more
and is considered disabled when integration.api.port is set to 0 or negative. Due to an improper initialisation logic, the integration API service would listen on a random port when its port value is set to 0 (default value). An attacker that can access the CloudStack management network could scan and find the randomised integration API service port and exploit it to perform unauthorised administrative actions and perform remote code execution on CloudStack managed hosts and result in complete compromise of the confidentiality, integrity, and availability of CloudStack managed infrastructure. Users are recommended to restrict the network access on the CloudStack management server hosts to only essential ports. Users are recommended to upgrade to version 4.18.2.1, 4.19.0.2 or later, which addresses this issue.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Makes persistent code injection into loaded programs impossible when the executable image itself resides on hardware-protected read-only media.
Ensures shared resources are explicitly initialized or cleared on allocation, preventing exposure of prior contents to new users or processes.
Dynamically generated code can be produced and executed inside the isolated chamber, preventing host compromise from code-injection payloads.
Validates inputs used in dynamic code generation to block injected directives.
Mandates that every instance begins in a known (presumably clean) state, eliminating reliance on residual or uninitialized state left by prior executions.
Directly prevents execution of attacker-supplied code written into data memory regions.