Cyber Resilience

CVE-2024-46479

Critical

Published: 13 January 2025

Published
13 January 2025
Modified
07 October 2025
KEV Added
Patch
CVSS Score v3.1 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0599 90.9th percentile
Risk Priority 23 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-46479 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Venki Supravizio Bpm. Its CVSS base score is 9.9 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 9.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

Venki Supravizio BPM through version 18.0.1 contains an arbitrary file upload vulnerability tracked as CVE-2024-46479. The flaw, classified under CWE-434, permits an authenticated user to upload files of dangerous types to the application, which can then be executed on the server. The issue carries a CVSS 3.1 score of 9.9, reflecting network attack vector, low complexity, low privileges required, and high impact on confidentiality, integrity, and availability with changed scope.

An authenticated attacker can exploit the weakness by uploading a malicious file that the application subsequently processes or executes, resulting in remote code execution on the affected server. The current EPSS score of 0.0599 with a recorded peak of 0.0833 indicates modest and stable exploitation interest since disclosure. Public details are available in the referenced GitHub research repository and the vendor product page, though no specific patch or mitigation guidance is provided in the available sources.

EU & UK References

Vulnerability details

Venki Supravizio BPM through 18.0.1 was discovered to contain an arbitrary file upload vulnerability. An authenticated attacker may upload a malicious file, leading to remote code execution.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Arbitrary file upload vulnerability in Venki Supravizio BPM enables authenticated attackers to upload malicious files for remote code execution, directly facilitating exploitation of a public-facing application.

CVEs Like This One

CVE-2024-46481Same product: Venki Supravizio Bpm
CVE-2024-46480Same product: Venki Supravizio Bpm
CVE-2024-56975Shared CWE-434
CVE-2019-25580Shared CWE-434
CVE-2026-27636Shared CWE-434
CVE-2026-4809Shared CWE-434
CVE-2020-37090Shared CWE-434
CVE-2026-24729Shared CWE-434
CVE-2026-28289Shared CWE-434
CVE-2026-1730Shared CWE-434

Affected Assets

venki
supravizio bpm
≤ 18.0.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 directly mitigates unrestricted file uploads by enforcing validation of file types, content, and attributes at input points to prevent dangerous files from being accepted.

prevent

SI-2 ensures timely identification, reporting, and correction of the specific arbitrary file upload flaw in Venki Supravizio BPM, eliminating the vulnerability.

preventdetect

SI-3 deploys malicious code protection at entry points to scan and block execution of dangerous uploaded files that could lead to RCE.

References