Cyber Resilience

CVE-2024-40749

High

Published: 07 January 2025

Published
07 January 2025
Modified
04 June 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0001 0.8th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-40749 is a high-severity Improper Access Control (CWE-284) vulnerability in Joomla Joomla\!. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 0.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-40749 is an improper access controls vulnerability (CWE-284) affecting the Joomla CMS core component. It enables unauthorized access to protected views across multiple core views. The issue carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high severity primarily due to confidentiality impact.

Unauthenticated attackers with network access can exploit this vulnerability with low complexity and no user interaction required. Exploitation grants read access to sensitive data protected by access control lists, resulting in high confidentiality loss without impacting integrity or availability.

The official advisory from the Joomla Security Centre (https://developer.joomla.org/security-centre/956-20250103-core-read-acl-violation-in-multiple-core-views.html), published around January 3, 2025, provides details on the core read ACL violation and guidance for mitigation, including patches for affected Joomla versions. Security practitioners should review the advisory for version-specific remediation steps.

EU & UK References

Vulnerability details

Improper Access Controls allows access to protected views.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct unauthenticated network exploitation of public-facing Joomla CMS for unauthorized sensitive data read via ACL bypass.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23899Same product: Joomla Joomla\!
CVE-2026-21629Same product: Joomla Joomla\!
CVE-2026-48898Same product: Joomla Joomla\!
CVE-2026-48899Same product: Joomla Joomla\!
CVE-2026-35221Same product: Joomla Joomla\!
CVE-2026-48904Same product: Joomla Joomla\!
CVE-2026-35222Same product: Joomla Joomla\!
CVE-2026-21630Same product: Joomla Joomla\!
CVE-2024-40748Same product: Joomla Joomla\!
CVE-2026-40383Same product: Joomla Joomla\!

Affected Assets

joomla
joomla\!
3.9.0 — 3.10.20 · 4.0.0 — 4.4.10 · 5.0.0 — 5.2.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations for logical access, directly preventing unauthorized read access to protected Joomla views due to improper ACL enforcement.

prevent

Identifies, reports, and corrects the specific flaw in Joomla core via timely patching, eliminating the improper access control vulnerability.

detect

Monitors systems for unauthorized information disclosure, enabling detection of exploitation resulting in confidentiality loss from protected views.

References