CVE-2024-46310
Published: 13 January 2025
Summary
CVE-2024-46310 is a critical-severity Improper Preservation of Permissions (CWE-281) vulnerability in Cfxre (inferred from references). Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Deeper analysis
CVE-2024-46310 is an incorrect access control vulnerability affecting Cfx.re FXServer versions 9601 and earlier. The flaw resides in an exposed API endpoint that fails to enforce authentication or authorization checks, enabling unauthenticated network access to user data operations. It carries a CVSS 3.1 base score of 9.1 and is associated with CWE-281.
Unauthenticated remote attackers can exploit the issue over the network without credentials or user interaction. Successful exploitation grants the ability to read and modify arbitrary user data, resulting in high impact to confidentiality and integrity while availability remains unaffected.
The EPSS score currently stands at 0.8521, matching its recorded peak. Public references include the vendor domain cfxre.com and a GitHub repository containing further technical details on the vulnerability.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-42214
Vulnerability details
Incorrect Access Control in Cfx.re FXServer v9601 and earlier allows unauthenticated users to modify and read arbitrary user data via exposed API endpoint
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Exposed unauthenticated API endpoint in public-facing FXServer directly enables remote exploitation for data read/modify access.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces approved authorizations for access to system resources, directly preventing unauthenticated users from reading or modifying arbitrary user data via exposed API endpoints.
Defines and restricts specific actions permitted without identification or authentication, mitigating unauthorized access to sensitive user data on public API endpoints.
Monitors and controls communications at external boundaries, blocking unauthorized remote access to vulnerable API endpoints.