Cyber Resilience

CVE-2024-46505

Critical

Published: 09 January 2025

Published
09 January 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
EPSS Score 0.0004 11.8th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-46505 is a critical-severity Incorrect Default Permissions (CWE-276) vulnerability in Medium (inferred from references). Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-6 (Configuration Settings).

Deeper analysis

Infoblox BloxOne version 2.4 contains a business logic flaw stemming from thick client vulnerabilities, tracked as CVE-2024-46505. This issue was published on January 9, 2025, and carries a CVSS v3.1 base score of 9.1 (Critical), with the vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H. It is associated with CWEs 276 (Incorrect Default Permissions), 312 (Cleartext Storage of Sensitive Information), 319 (Insufficiently Protected Credentials), and 798 (Use of Hard-coded Credentials).

The vulnerability enables exploitation by unauthenticated attackers over the network with low complexity and no user interaction required. Successful exploitation results in high integrity and availability impacts, though confidentiality remains unaffected, allowing attackers to potentially manipulate system operations or disrupt services without privileges.

Details on mitigation, including any patches or advisories, are available in the referenced disclosure at https://jayaramyalla.medium.com/bloxone-business-logic-flaw-due-to-thick-client-vulnerabilities-cve-2024-46505-04a4f1966f4b. Security practitioners should consult this source for vendor-specific remediation guidance.

EU & UK References

Vulnerability details

Infoblox BloxOne v2.4 was discovered to contain a business logic flaw due to thick client vulnerabilities.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Remote unauthenticated network exploitation of a public-facing application due to business logic and credential-handling flaws directly matches T1190.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-27073Shared CWE-798
CVE-2025-35062Shared CWE-276
CVE-2026-35503Shared CWE-798
CVE-2024-43166Shared CWE-276
CVE-2024-55225Shared CWE-276
CVE-2026-30701Shared CWE-798
CVE-2025-42890Shared CWE-798
CVE-2020-36911Shared CWE-798
CVE-2017-20234Shared CWE-798
CVE-2026-32834Shared CWE-798

Affected Assets

Medium
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the business logic flaw and thick client vulnerabilities in Infoblox BloxOne v2.4 through flaw identification, patching, and verification.

prevent

Mitigates hard-coded credentials and insufficiently protected credentials (CWEs 798, 319) by managing authenticators to prevent their insecure use in the thick client.

prevent

Addresses incorrect default permissions (CWE-276) by enforcing secure configuration settings that prevent unauthorized access and manipulation in the thick client.

References