Cyber Resilience

CVE-2024-4282

High

Published: 15 February 2025

Published
15 February 2025
Modified
26 August 2025
KEV Added
Patch
CVSS Score v4 8.2 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0011 29.1th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-4282 is a high-severity Use of a Broken or Risky Cryptographic Algorithm (CWE-327) vulnerability in Broadcom Brocade Sannav. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Adversary-in-the-Middle (T1557); ranked at the 29.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SC-13 (Cryptographic Protection).

Deeper analysis

CVE-2024-4282 affects Brocade SANnav OVA versions prior to 2.3.1b, where a deprecated SHA1 setting is enabled for SSH on port 22. This configuration issue falls under CWE-327 (Use of a Broken or Risky Cryptographic Algorithm) and has a CVSS v3.1 base score of 9.8 (Critical), reflecting its network accessibility (AV:N), low attack complexity (AC:L), lack of required privileges (PR:N), no user interaction (UI:N), and unchanged scope (S:U) with high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H). The vulnerability was published on 2025-02-15.

Remote, unauthenticated attackers can exploit this vulnerability over the network by targeting the weak SHA1 cryptographic setting in SSH communications on port 22. Successful exploitation could allow attackers to compromise SSH sessions, potentially leading to unauthorized access, data interception, modification, or disruption of services, aligning with the high CVSS impacts across confidentiality, integrity, and availability.

The Broadcom security advisory at https://support.broadcom.com/external/content/SecurityAdvisories/0/25400 provides details on mitigation, which includes upgrading to SANnav 2.3.1b or later to disable the deprecated SHA1 setting for SSH.

EU & UK References

Vulnerability details

Brocade SANnav OVA before SANnav 2.3.1b enables SHA1 deprecated setting for SSH for port 22.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1557 Adversary-in-the-Middle Credential Access
Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.
T1021.004 SSH Lateral Movement
Adversaries may use [Valid Accounts](https://attack.
Why these techniques?

Weak/deprecated SHA1 in public SSH directly enables MITM attacks on sessions (T1557) and unauthorized remote access via the SSH service (T1021.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-2240Same product: Broadcom Brocade Sannav
CVE-2024-1509Same vendor: Broadcom
CVE-2025-58383Same vendor: Broadcom
CVE-2025-58382Same vendor: Broadcom
CVE-2025-66598Shared CWE-327
CVE-2024-8603Shared CWE-327
CVE-2024-5462Same vendor: Broadcom
CVE-2026-0383Same vendor: Broadcom
CVE-2025-9711Same vendor: Broadcom
CVE-2025-12774Same vendor: Broadcom

Affected Assets

broadcom
brocade sannav
≤ 2.3.1b

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SC-13 mandates the use of approved cryptographic mechanisms, directly prohibiting deprecated SHA1 in SSH communications to protect confidentiality and integrity.

prevent

CM-6 requires secure configuration settings for system components, ensuring the SSH service disables weak SHA1 algorithms as per vendor guidance.

prevent

SC-8 protects the confidentiality and integrity of transmitted information over SSH, mitigating risks from SHA1's cryptographic weaknesses.

References