Cyber Resilience

CVE-2024-42176

Low

Published: 19 March 2025

Published
19 March 2025
Modified
16 May 2025
KEV Added
Patch
CVSS Score v3.1 2.6 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N
EPSS Score 0.0016 37.2th percentile
Risk Priority 5 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-42176 is a low-severity Improper Restriction of Excessive Authentication Attempts (CWE-307) vulnerability in Hcltech Dryice Myxalytics. Its CVSS base score is 2.6 (Low).

Operationally, ranked at the 37.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-10 (Concurrent Session Control) and AC-12 (Session Termination).

Deeper analysis

CVE-2024-42176 is a concurrent login vulnerability in HCL MyXalytics, where the software permits simultaneous active sessions for a single set of credentials. This flaw, classified under CWE-307 (Improper Restriction of Excessive Authentication Attempts), enables potential unauthorized access to a user's account or sensitive information. The vulnerability received a CVSS v3.1 base score of 2.6 (AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N), indicating low severity with network accessibility but high attack complexity, requirement for low-privilege access, and user interaction.

An attacker with low privileges (PR:L) could exploit this over the network (AV:N), though it demands high complexity (AC:H) and user interaction (UI:R), such as tricking the user into concurrent login actions. Successful exploitation would grant limited confidentiality impact (C:L), allowing the attacker to potentially access the user's account or sensitive data without affecting integrity or availability.

Mitigation details are outlined in the HCL Software advisory at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0119919.

EU & UK References

Vulnerability details

HCL MyXalytics is affected by concurrent login vulnerability. A concurrent login vulnerability occurs when simultaneous active sessions are allowed for a single credential allowing an attacker to potentially obtain access to a user's account or sensitive information.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

Insufficient information to map techniques.
Confidence: LOW · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-42181Same product: Hcltech Dryice Myxalytics
CVE-2024-42180Same product: Hcltech Dryice Myxalytics
CVE-2024-42169Same product: Hcltech Dryice Myxalytics
CVE-2024-42175Same product: Hcltech Dryice Myxalytics
CVE-2024-42172Same product: Hcltech Dryice Myxalytics
CVE-2024-42168Same product: Hcltech Dryice Myxalytics
CVE-2025-55261Same vendor: Hcltech
CVE-2025-55265Same vendor: Hcltech
CVE-2025-55270Same vendor: Hcltech
CVE-2025-31973Same vendor: Hcltech

Affected Assets

hcltech
dryice myxalytics
6.3, 6.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly limits the number of concurrent sessions per account, preventing simultaneous active sessions for a single set of credentials as exploited in this CVE.

prevent

Automatically terminates sessions based on defined conditions, reducing the risk and duration of concurrent session exploitation.

detect

Notifies users upon login of previous logon activity, enabling detection of potential unauthorized concurrent sessions.

References