CVE-2024-50706
Published: 04 March 2025
Summary
CVE-2024-50706 is a critical-severity SQL Injection (CWE-89) vulnerability in Uniguest Tripleplay. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 33.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2024-50706 is an unauthenticated SQL injection vulnerability (CWE-89) affecting Uniguest Tripleplay version 23.1 and later. It enables remote attackers to execute arbitrary SQL queries on the backend database. The vulnerability has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low complexity, lack of privileges or user interaction requirements, and high impacts on confidentiality, integrity, and availability.
Remote attackers without authentication can exploit this vulnerability over the network by injecting malicious SQL payloads into affected endpoints. Successful exploitation allows arbitrary SQL query execution, potentially leading to full database compromise, including data extraction, modification, or deletion, as reflected in the high impact metrics.
Uniguest has published mitigation guidance in its CVE bulletins at https://uniguest.com/cve-bulletins/ and a dedicated vulnerability summary PDF at https://uniguest.com/wp-content/uploads/2025/02/CVE-2024-50706-Vulnerability-Summary.pdf. Security practitioners should consult these advisories for patching instructions and workarounds.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-54227
Vulnerability details
Unauthenticated SQL injection vulnerability in Uniguest Tripleplay version 23.1+ allows remote attackers to execute arbitrary SQL queries on the backend database.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated remote SQL injection in a public-facing application directly enables exploitation of public-facing applications.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the specific unauthenticated SQL injection flaw in Uniguest Tripleplay by applying vendor-provided patches and updates.
Prevents SQL injection exploitation by validating and sanitizing all remote inputs to block malicious SQL payloads from reaching the backend database.
Mitigates remote unauthenticated attacks via boundary protections such as web application firewalls that inspect and block SQL injection attempts at network interfaces.