Cyber Resilience

CVE-2024-50706

Critical

Published: 04 March 2025

Published
04 March 2025
Modified
28 May 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0050 66.2th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-50706 is a critical-severity SQL Injection (CWE-89) vulnerability in Uniguest Tripleplay. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 33.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2024-50706 is an unauthenticated SQL injection vulnerability (CWE-89) affecting Uniguest Tripleplay version 23.1 and later. It enables remote attackers to execute arbitrary SQL queries on the backend database. The vulnerability has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low complexity, lack of privileges or user interaction requirements, and high impacts on confidentiality, integrity, and availability.

Remote attackers without authentication can exploit this vulnerability over the network by injecting malicious SQL payloads into affected endpoints. Successful exploitation allows arbitrary SQL query execution, potentially leading to full database compromise, including data extraction, modification, or deletion, as reflected in the high impact metrics.

Uniguest has published mitigation guidance in its CVE bulletins at https://uniguest.com/cve-bulletins/ and a dedicated vulnerability summary PDF at https://uniguest.com/wp-content/uploads/2025/02/CVE-2024-50706-Vulnerability-Summary.pdf. Security practitioners should consult these advisories for patching instructions and workarounds.

EU & UK References

Vulnerability details

Unauthenticated SQL injection vulnerability in Uniguest Tripleplay version 23.1+ allows remote attackers to execute arbitrary SQL queries on the backend database.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Unauthenticated remote SQL injection in a public-facing application directly enables exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-50707Same product: Uniguest Tripleplay
CVE-2024-50704Same product: Uniguest Tripleplay
CVE-2024-50705Same product: Uniguest Tripleplay
CVE-2026-39334Shared CWE-89
CVE-2024-13488Shared CWE-89
CVE-2026-20002Shared CWE-89
CVE-2025-1446Shared CWE-89
CVE-2025-22699Shared CWE-89
CVE-2026-36232Shared CWE-89
CVE-2026-31871Shared CWE-89

Affected Assets

uniguest
tripleplay
24.2 · 23.1 — 24.1.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the specific unauthenticated SQL injection flaw in Uniguest Tripleplay by applying vendor-provided patches and updates.

prevent

Prevents SQL injection exploitation by validating and sanitizing all remote inputs to block malicious SQL payloads from reaching the backend database.

prevent

Mitigates remote unauthenticated attacks via boundary protections such as web application firewalls that inspect and block SQL injection attempts at network interfaces.

References