Cyber Resilience

CVE-2024-50707

CriticalRCE

Published: 04 March 2025

Published
04 March 2025
Modified
28 May 2025
KEV Added
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0675 91.5th percentile
Risk Priority 24 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-50707 is a critical-severity Code Injection (CWE-94) vulnerability in Uniguest Tripleplay. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 8.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-50707 is an unauthenticated remote code execution flaw affecting Uniguest Tripleplay software prior to version 24.2.1. The vulnerability stems from improper handling of the X-Forwarded-For header in incoming HTTP GET requests and is tracked under CWE-94, with a maximum CVSS 3.1 score of 10.0 reflecting network-accessible, low-complexity exploitation that can impact confidentiality, integrity Availability across scope boundaries.

Remote, unauthenticated attackers can supply a malicious X-Forwarded-For header to trigger arbitrary code execution on the target system, enabling full compromise without any user interaction or credentials.

Vendor advisories and a detailed summary are published at uniguest.com/cve-bulletins/ and in the PDF at uniguest.com/wp-content/uploads/2025/02/CVE-2024-50707-Vulnerability-Summary.pdf, indicating that the issue is resolved in release 24.2.1. The associated EPSS score rose from lower values after disclosure to a peak of 0.1219 on 2026-04-18 before receding to the current 0.0675, indicating a period of increased exploitation interest that later subsided.

EU & UK References

Vulnerability details

Unauthenticated remote code execution vulnerability in Uniguest Tripleplay before 24.2.1 allows remote attackers to execute arbitrary code via the X-Forwarded-For header in an HTTP GET request.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The CVE describes an unauthenticated RCE vulnerability in a public-facing web application (via crafted HTTP header), directly enabling initial access through exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-50704Same product: Uniguest Tripleplay
CVE-2024-50706Same product: Uniguest Tripleplay
CVE-2024-50705Same product: Uniguest Tripleplay
CVE-2025-13773Shared CWE-94
CVE-2025-50692Shared CWE-94
CVE-2026-30643Shared CWE-94
CVE-2026-30460Shared CWE-94
CVE-2025-71243Shared CWE-94
CVE-2026-44262Shared CWE-94
CVE-2024-13792Shared CWE-94

Affected Assets

uniguest
tripleplay
24.2 · ≤ 24.1.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 requires timely patching of known flaws like CVE-2024-50707 in Uniguest Tripleplay to version 24.2.1, directly eliminating the unauthenticated RCE vulnerability.

prevent

SI-10 enforces validation of untrusted inputs such as the X-Forwarded-For HTTP header to prevent code injection exploitation in the affected endpoint.

preventdetect

SC-7 provides boundary protection via firewalls or WAFs to monitor and block remote HTTP GET requests with malicious X-Forwarded-For headers targeting this public-facing vulnerability.

References