Cyber Resilience

CVE-2024-48956

Critical

Published: 09 December 2024

Published
09 December 2024
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.1162 93.8th percentile
Risk Priority 27 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-48956 is a critical-severity Use of Default Cryptographic Key (CWE-1394) vulnerability in Serviceware Se (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 6.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Serviceware Processes versions 6.0 through 7.3 before 7.4 contain a remote code execution vulnerability tracked as CVE-2024-48956. The flaw permits an unauthenticated attacker to submit a specially crafted HTTP request to a service endpoint, resulting in arbitrary code execution on the affected system. It carries a CVSS 3.1 base score of 9.8 and is associated with CWE-1394.

An attacker with no valid credentials can exploit the issue over the network by targeting the exposed service endpoint. Successful exploitation grants full control over confidentiality, integrity, and availability of the impacted installation, consistent with the CVSS vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

The vendor advisory published at security.serviceware-se.com/CVE-2024-48956/ and the product page at serviceware-se.com/platform/serviceware-processes indicate that the issue is resolved in version 7.4. The current EPSS score of 0.1162 shows no material increase from its recorded peak.

EU & UK References

Vulnerability details

Serviceware Processes 6.0 through 7.3 before 7.4 allows attackers without valid authentication to send a specially crafted HTTP request to a service endpoint resulting in remote code execution.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Serviceware Se
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References