Cyber Posture

CVE-2024-46310

Critical

Published: 13 January 2025

Published
13 January 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.8300 99.3th percentile
Risk Priority 68 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-46310 is a critical-severity Improper Preservation of Permissions (CWE-281) vulnerability in Cfxre (inferred from references). Its CVSS base score is 9.1 (Critical).

Operationally, ranked in the top 0.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match
prevent

Enforces approved authorizations for access to system resources, directly preventing unauthenticated users from reading or modifying arbitrary user data via exposed API endpoints.

AC-14 Permitted Actions Without Identification or Authentication good match
prevent

Defines and restricts specific actions permitted without identification or authentication, mitigating unauthorized access to sensitive user data on public API endpoints.

SC-7 Boundary Protection partial match
prevent

Monitors and controls communications at external boundaries, blocking unauthorized remote access to vulnerable API endpoints.

NVD Description

Incorrect Access Control in Cfx.re FXServer v9601 and earlier allows unauthenticated users to modify and read arbitrary user data via exposed API endpoint

Deeper analysisAI

CVE-2024-46310 is an incorrect access control vulnerability affecting Cfx.re FXServer versions v9601 and earlier. The flaw exposes an API endpoint that permits unauthenticated users to read and modify arbitrary user data, stemming from CWE-281. This issue carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating critical severity due to high impacts on confidentiality and integrity.

Attackers require no privileges or user interaction and can exploit the vulnerability remotely over the network with low complexity. Successful exploitation allows unauthenticated remote attackers to access, read, and alter sensitive user data stored on the server, potentially leading to data theft, account takeovers, or unauthorized modifications across affected FXServer instances.

For mitigation details, refer to advisories and resources at http://cfxre.com and https://github.com/PRX5Y/CVE-2024-46310.

Details

CWE(s)
CWE-281

Affected Products

Cfxre
inferred from references and description; NVD did not file a CPE for this CVE

CVEs Like This One

CVE-2024-56973Shared CWE-281
CVE-2024-40672Shared CWE-281
CVE-2024-46622Shared CWE-281
CVE-2025-25871Shared CWE-281
CVE-2025-30456Shared CWE-281
CVE-2024-55507Shared CWE-281
CVE-2025-30449Shared CWE-281
CVE-2025-25711Shared CWE-281
CVE-2024-54818Shared CWE-281
CVE-2024-56192Shared CWE-281

References