Cyber Resilience

CVE-2024-42168

High

Published: 11 January 2025

Published
11 January 2025
Modified
16 May 2025
KEV Added
Patch
CVSS Score v3.1 8.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L
EPSS Score 0.0038 59.6th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-42168 is a high-severity Externally Controlled Reference to a Resource in Another Sphere (CWE-610) vulnerability in Hcltech Dryice Myxalytics. Its CVSS base score is 8.9 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 40.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SC-7 (Boundary Protection).

Deeper analysis

CVE-2024-42168 is an out-of-band resource load vulnerability involving HTTP requests in HCL MyXalytics. The issue allows an attacker to deploy a web server that returns malicious content and then induce the application to retrieve and process that content. It carries a CVSS v3.1 base score of 8.9 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L) and maps to CWE-610 (Externally Controlled Reference to a Resource in Another Sphere) and CWE-918 (Server-Side Request Forgery).

An unauthenticated attacker accessible over the network can exploit this vulnerability, though it requires high attack complexity and no user interaction. By tricking the application into fetching and processing content from the attacker's controlled server, the attacker can achieve high impacts on confidentiality and integrity, with a low impact on availability, due to the cross-scope execution.

The HCL Software support knowledge base article at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0118149 provides details on advisories and mitigation steps for this vulnerability.

EU & UK References

Vulnerability details

HCL MyXalytics is affected by out-of-band resource load (HTTP) vulnerability. An attacker can deploy a web server that returns malicious content, and then induce the application to retrieve and process that content.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct SSRF/out-of-band resource loading in a public-facing app enables exploitation of the application itself to fetch/process attacker-controlled malicious content.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-42175Same product: Hcltech Dryice Myxalytics
CVE-2024-42172Same product: Hcltech Dryice Myxalytics
CVE-2024-42169Same product: Hcltech Dryice Myxalytics
CVE-2024-42180Same product: Hcltech Dryice Myxalytics
CVE-2024-42181Same product: Hcltech Dryice Myxalytics
CVE-2024-42176Same product: Hcltech Dryice Myxalytics
CVE-2025-55271Same vendor: Hcltech
CVE-2025-62319Same vendor: Hcltech
CVE-2025-31958Same vendor: Hcltech
CVE-2025-55262Same vendor: Hcltech

Affected Assets

hcltech
dryice myxalytics
6.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Validates inputs such as URLs or references to external resources, preventing the application from fetching and processing attacker-controlled malicious content.

prevent

Enforces flow control policies to block unauthorized outbound information flows to external attacker-controlled servers.

preventdetect

Monitors and controls external communications at system boundaries, restricting HTTP requests to untrusted external resources.

References