CVE-2024-43187
Published: 04 February 2025
Summary
CVE-2024-43187 is a medium-severity Cleartext Transmission of Sensitive Information (CWE-319) vulnerability in Ibm Security Verify Access. Its CVSS base score is 5.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Network Sniffing (T1040); ranked at the 10.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-8 (Transmission Confidentiality and Integrity) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2024-43187 is a vulnerability in IBM Security Verify Access Appliance and Container versions 10.0.0 through 10.0.8 that results in the transmission of sensitive or security-critical data in cleartext over a communication channel susceptible to sniffing by unauthorized actors. This issue is classified under CWE-319 (Cleartext Transmission of Sensitive Information) and carries a CVSS v3.1 base score of 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating medium severity primarily due to high confidentiality impact.
The vulnerability can be exploited by unauthorized actors with network access who lack privileges and require no user interaction, though exploitation demands high attack complexity, such as positioning to intercept traffic. Successful attacks enable sniffing and capture of sensitive data in transit, compromising confidentiality without affecting integrity or availability.
IBM's security advisory at https://www.ibm.com/support/pages/node/7182386 provides details on remediation and mitigation steps for this vulnerability.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-40297
Vulnerability details
IBM Security Verify Access Appliance and Container 10.0.0 through 10.0.8 transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables passive network sniffing of cleartext sensitive data in transit (CWE-319).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SC-8 mandates cryptographic protection for the confidentiality and integrity of transmitted information, directly preventing sniffing of sensitive data in cleartext as in this CVE.
SI-2 requires identification, reporting, and correction of flaws like CVE-2024-43187, enabling patching to eliminate cleartext transmission per IBM's advisory.
SC-13 enforces cryptographic standards and modules that support secure transmission protections, mitigating cleartext vulnerabilities when applied to communications.