CVE-2024-53522

High

Published: 07 January 2025

Published

07 January 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Score 0.0096 76.6th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-53522 is a high-severity Insufficient Entropy (CWE-331) vulnerability in Bangkok Medical Software (inferred from references). Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Private Keys (T1552.004); ranked in the top 23.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-12 (Cryptographic Key Establishment and Management) and SC-13 (Cryptographic Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Private Keys (T1552.004). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SC-12 Cryptographic Key Establishment and Management good match

prevent

Requires secure establishment, distribution, storage, access, and destruction of cryptographic keys, directly preventing the use of hardcoded Key-IV pairs that enable attackers to decrypt sensitive information.

SC-13 Cryptographic Protection good match

prevent

Mandates implementation of cryptographic mechanisms in accordance with NIST standards to protect confidentiality, precluding weak implementations like hardcoded IDEA keys.

SC-28 Protection of Information at Rest partial match

prevent

Enforces cryptographic protection of information at rest, mitigating decryption risks from exposed keys in software components like executables and configuration files.

MITRE ATT&CK Enterprise TechniquesAI

T1552.004 Private Keys Credential Access

Adversaries may search for private key certificate files on compromised systems for insecurely stored credentials.

attack.mitre.org →

Why these techniques?

Hardcoded symmetric encryption key directly exposes decryption material for protected data, mapping to unsecured private/symmetric key access.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

Bangkok Medical Software HOSxP XE v4.64.11.3 was discovered to contain a hardcoded IDEA Key-IV pair in the HOSxPXE4.exe and HOS-WIN32.INI components. This allows attackers to access sensitive information.

Deeper analysisAI

CVE-2024-53522, published on 2025-01-07, affects Bangkok Medical Software HOSxP XE version 4.64.11.3. The vulnerability involves a hardcoded IDEA Key-IV pair within the HOSxPXE4.exe executable and HOS-WIN32.INI components, classified under CWE-331. This cryptographic weakness enables attackers to access sensitive information, earning a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity and no user interaction required. Exploitation allows them to leverage the exposed Key-IV pair to decrypt protected data, resulting in high-impact confidentiality loss without affecting integrity or availability.

Advisories and further details are available from referenced sources including http://bangkok.com, http://hosxp.com, http://hosxp.net, and https://www.safecloud.co.th/researches/blog/CVE-2024-53522.