CVE-2024-50707
Published: 04 March 2025
Summary
CVE-2024-50707 is a critical-severity Code Injection (CWE-94) vulnerability in Uniguest Tripleplay. Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 8.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2024-50707 is an unauthenticated remote code execution flaw affecting Uniguest Tripleplay software prior to version 24.2.1. The vulnerability stems from improper handling of the X-Forwarded-For header in incoming HTTP GET requests and is tracked under CWE-94, with a maximum CVSS 3.1 score of 10.0 reflecting network-accessible, low-complexity exploitation that can impact confidentiality, integrity Availability across scope boundaries.
Remote, unauthenticated attackers can supply a malicious X-Forwarded-For header to trigger arbitrary code execution on the target system, enabling full compromise without any user interaction or credentials.
Vendor advisories and a detailed summary are published at uniguest.com/cve-bulletins/ and in the PDF at uniguest.com/wp-content/uploads/2025/02/CVE-2024-50707-Vulnerability-Summary.pdf, indicating that the issue is resolved in release 24.2.1. The associated EPSS score rose from lower values after disclosure to a peak of 0.1219 on 2026-04-18 before receding to the current 0.0675, indicating a period of increased exploitation interest that later subsided.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-54228
Vulnerability details
Unauthenticated remote code execution vulnerability in Uniguest Tripleplay before 24.2.1 allows remote attackers to execute arbitrary code via the X-Forwarded-For header in an HTTP GET request.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes an unauthenticated RCE vulnerability in a public-facing web application (via crafted HTTP header), directly enabling initial access through exploitation of public-facing applications.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-2 requires timely patching of known flaws like CVE-2024-50707 in Uniguest Tripleplay to version 24.2.1, directly eliminating the unauthenticated RCE vulnerability.
SI-10 enforces validation of untrusted inputs such as the X-Forwarded-For HTTP header to prevent code injection exploitation in the affected endpoint.
SC-7 provides boundary protection via firewalls or WAFs to monitor and block remote HTTP GET requests with malicious X-Forwarded-For headers targeting this public-facing vulnerability.