CVE-2024-50619
Published: 11 February 2026
Summary
CVE-2024-50619 is a high-severity Improper Privilege Management (CWE-269) vulnerability in Cipplanner Cipace. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 19.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-3 requires enforcement of approved authorizations, directly preventing client-side tampering with user IDs from granting unauthorized access to other accounts or privilege escalation.
AC-6 enforces least privilege, blocking low-privileged users from elevating their own privileges or modifying disabled user roles.
SI-10 validates information inputs on the server side, mitigating client-side tampering with user IDs and role information to prevent unauthorized modifications.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vuln enables network exploitation of public-facing app (T1190) for privilege escalation (T1068) via client-side tampering and unauthorized account/role modification (T1098).
NVD Description
Vulnerabilities in the My Account and User Management components in CIPPlanner CIPAce before 9.17 allows attackers to escalate their access levels. A low-privileged authenticated user can gain access to other people's accounts by tampering with the client's user id to…
more
change their account information. A low-privileged authenticated user can elevate his or her system privileges by modifying the information of a user role that is disabled in the client.
Deeper analysisAI
CVE-2024-50619 consists of vulnerabilities in the My Account and User Management components of CIPPlanner CIPAce versions prior to 9.17. These flaws allow attackers to escalate their access levels through improper privilege management (CWE-269). The issue carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to network accessibility, low attack complexity, and significant impacts on confidentiality, integrity, and availability.
A low-privileged authenticated user can exploit these vulnerabilities over the network without user interaction. By tampering with the client-side user ID, they can gain unauthorized access to other users' accounts and modify their information. Separately, the attacker can elevate their own system privileges by altering details of a disabled user role within the client.
The vendor has published a public notification of resolution at https://cipplanner.com/cve-2024-50619-cve-public-notification-of-resolution/, which addresses the vulnerabilities in CIPAce version 9.17 and later. Security practitioners should upgrade affected installations to mitigate the risks.
Details
- CWE(s)