Cyber Resilience

CVE-2024-39864

CriticalRCE

Published: 05 July 2024

Published
05 July 2024
Modified
19 March 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0239 85.4th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-39864 is a critical-severity Code Injection (CWE-94) vulnerability in Apache Cloudstack. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 14.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2024-39864 affects the integration API service in Apache CloudStack. This service is intended to run unauthenticated on a configurable port for internal portal integrations or testing when the integration.api.port global setting is enabled. Due to improper initialization logic, setting the port value to its default of 0 causes the service to bind to a random port rather than remaining disabled, exposing an unintended listener on management hosts.

An attacker with network access to the CloudStack management segment can scan for the randomized port and reach the unauthenticated API. Successful exploitation permits unauthorized administrative operations that lead to remote code execution on CloudStack-managed hosts, resulting in complete compromise of confidentiality, integrity, and availability of the infrastructure. The vulnerability carries a CVSS 3.1 score of 9.8 and is associated with CWE-94 and CWE-665.

Public advisories from the Apache CloudStack project and downstream vendors recommend restricting network access to management server hosts to only essential ports and upgrading to version 4.18.2.1, 4.19.0.2, or later to correct the initialization flaw.

The EPSS score rose from a low baseline to a peak of 0.0537 on 2025-12-11 before receding to the current value of 0.0239.

EU & UK References

Vulnerability details

The CloudStack integration API service allows running its unauthenticated API server (usually on port 8096 when configured and enabled via integration.api.port global setting) for internal portal integrations and for testing purposes. By default, the integration API service port is disabled…

more

and is considered disabled when integration.api.port is set to 0 or negative. Due to an improper initialisation logic, the integration API service would listen on a random port when its port value is set to 0 (default value). An attacker that can access the CloudStack management network could scan and find the randomised integration API service port and exploit it to perform unauthorised administrative actions and perform remote code execution on CloudStack managed hosts and result in complete compromise of the confidentiality, integrity, and availability of CloudStack managed infrastructure. Users are recommended to restrict the network access on the CloudStack management server hosts to only essential ports. Users are recommended to upgrade to version 4.18.2.1, 4.19.0.2 or later, which addresses this issue.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apache
cloudstack
4.0.0 — 4.18.2.1 · 4.19.0.0 — 4.19.0.2

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-94

Makes persistent code injection into loaded programs impossible when the executable image itself resides on hardware-protected read-only media.

addresses: CWE-665

Ensures shared resources are explicitly initialized or cleared on allocation, preventing exposure of prior contents to new users or processes.

addresses: CWE-94

Dynamically generated code can be produced and executed inside the isolated chamber, preventing host compromise from code-injection payloads.

addresses: CWE-94

Validates inputs used in dynamic code generation to block injected directives.

addresses: CWE-665

Mandates that every instance begins in a known (presumably clean) state, eliminating reliance on residual or uninitialized state left by prior executions.

addresses: CWE-94

Directly prevents execution of attacker-supplied code written into data memory regions.

References