CVE-2024-42176

Low

Published: 19 March 2025

Published

19 March 2025

Modified

16 May 2025

KEV Added

—

Patch

—

CVSS Score 2.6 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N

EPSS Score 0.0016 36.9th percentile

Risk Priority 5 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-42176 is a low-severity Improper Restriction of Excessive Authentication Attempts (CWE-307) vulnerability in Hcltech Dryice Myxalytics. Its CVSS base score is 2.6 (Low).

Operationally, ranked at the 36.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-10 (Concurrent Session Control) and AC-12 (Session Termination).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-10 Concurrent Session Control good match

prevent

Directly limits the number of concurrent sessions per account, preventing simultaneous active sessions for a single set of credentials as exploited in this CVE.

AC-12 Session Termination partial match

prevent

Automatically terminates sessions based on defined conditions, reducing the risk and duration of concurrent session exploitation.

AC-9 Previous Logon Notification partial match

detect

Notifies users upon login of previous logon activity, enabling detection of potential unauthorized concurrent sessions.

MITRE ATT&CK Enterprise TechniquesAI

Insufficient information to map techniques.

Confidence: LOW · MITRE ATT&CK Enterprise v19.0

NVD Description

HCL MyXalytics is affected by concurrent login vulnerability. A concurrent login vulnerability occurs when simultaneous active sessions are allowed for a single credential allowing an attacker to potentially obtain access to a user's account or sensitive information.

Deeper analysisAI

CVE-2024-42176 is a concurrent login vulnerability in HCL MyXalytics, where the software permits simultaneous active sessions for a single set of credentials. This flaw, classified under CWE-307 (Improper Restriction of Excessive Authentication Attempts), enables potential unauthorized access to a user's account or sensitive information. The vulnerability received a CVSS v3.1 base score of 2.6 (AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N), indicating low severity with network accessibility but high attack complexity, requirement for low-privilege access, and user interaction.

An attacker with low privileges (PR:L) could exploit this over the network (AV:N), though it demands high complexity (AC:H) and user interaction (UI:R), such as tricking the user into concurrent login actions. Successful exploitation would grant limited confidentiality impact (C:L), allowing the attacker to potentially access the user's account or sensitive data without affecting integrity or availability.

Mitigation details are outlined in the HCL Software advisory at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0119919.

Details

CWE(s): CWE-307

Affected Products

hcltech

dryice myxalytics

6.3, 6.4

CVEs Like This One

CVE-2024-42168Same product: Hcltech Dryice Myxalytics

CVE-2024-42180Same product: Hcltech Dryice Myxalytics

CVE-2024-42181Same product: Hcltech Dryice Myxalytics

CVE-2024-42175Same product: Hcltech Dryice Myxalytics

CVE-2024-42172Same product: Hcltech Dryice Myxalytics

CVE-2024-42169Same product: Hcltech Dryice Myxalytics

CVE-2024-30150Same vendor: Hcltech

CVE-2026-21765Same vendor: Hcltech

CVE-2025-55265Same vendor: Hcltech

CVE-2024-42210Same vendor: Hcltech

References

https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0119919
Vendor Advisory · psirt@hcl.com