Cyber Resilience

CVE-2024-52510

Medium

Published: 15 November 2024

Published
15 November 2024
Modified
28 August 2025
KEV Added
Patch
CVSS Score v3.1 4.2 CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N
EPSS Score 0.0049 66.1th percentile
Risk Priority 9 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-52510 is a medium-severity Improper Certificate Validation (CWE-295) vulnerability in Nextcloud Desktop. Its CVSS base score is 4.2 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Stealth (T1211); ranked in the top 33.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server with your computer. The Desktop client did not stop with an error but allowed by-passing the signature validation, if a manipulated server sends an empty initial signature.…

more

It is recommended that the Nextcloud Desktop client is upgraded to 3.14.2 or later.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1211 Exploitation for Stealth Stealth
Adversaries may exploit vulnerabilities to evade detection by hiding activity, suppressing logging, or operating within trusted or unmonitored components.
T1553 Subvert Trust Controls Defense Impairment
Adversaries may undermine security controls that will either warn users of untrusted activity or prevent execution of untrusted programs.
Why these techniques?

The vulnerability enables bypassing end-to-end encryption signature validation in the Nextcloud Desktop Client when a manipulated server sends an empty initial signature, facilitating exploitation for defense evasion (T1211) and subverting trust controls via improper certificate/signature validation (T1553).

Affected Assets

nextcloud
desktop
3.0.0 — 3.14.2

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-295

When certificates are used to establish component provenance, the control requires correct certificate validation procedures.

addresses: CWE-295

Mandates approved trust anchors and issuance policies, directly preventing acceptance of unvalidated or untrusted certificates.

addresses: CWE-295

Correct system time is required for proper enforcement of certificate notBefore/notAfter dates and time-based revocation checks.

References