CVE-2024-41955
Published: 31 July 2024
Summary
CVE-2024-41955 is a medium-severity Open Redirect (CWE-601) vulnerability in Opensecurity Mobile Security Framework. Its CVSS base score is 5.2 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Spearphishing Link (T1566.002); ranked in the top 5.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
Mobile Security Framework (MobSF) contains an open redirect vulnerability (CWE-601) in its authentication view. The flaw affects the open-source mobile application analysis platform used for Android, iOS, and Windows Mobile testing and is tracked as CVE-2024-41955 with a CVSS 3.1 score of 5.2.
An attacker with high privileges who can influence the authentication flow may supply a crafted redirect URL. When a victim user interacts with the malicious link, the browser is sent to an attacker-controlled site, enabling limited confidentiality exposure and high-integrity impacts such as phishing or session manipulation.
The project’s security advisory and associated commit recommend immediate upgrade to MobSF version 4.0.5, which contains the fix for the redirect logic. The EPSS score has remained essentially flat near 0.15 with no material post-disclosure increase.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-2299
Vulnerability details
Mobile Security Framework (MobSF) is a security research platform for mobile applications in Android, iOS and Windows Mobile. An open redirect vulnerability exist in MobSF authentication view. Update to MobSF v4.0.5.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The open redirect vulnerability in the MobSF login authentication view (?next parameter) allows attackers to craft malicious phishing links that appear to direct to the legitimate MobSF site but redirect users to arbitrary external malicious sites after entering credentials, facilitating spearphishing link attacks.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.