CVE-2024-53573
Published: 26 February 2025
Summary
CVE-2024-53573 is a critical-severity Improper Access Control (CWE-284) vulnerability in Changeweb Unifiedtransform. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 49.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-3 requires enforcement of approved authorizations for logical access, directly preventing unauthorized users from accessing and manipulating administrative endpoints like teacher/edit/{id}.
AC-6 enforces least privilege, ensuring only authorized administrators can access sensitive teacher edit functions, mitigating the incorrect access control flaw.
AC-14 limits and documents actions permitted without identification or authentication, countering the vulnerability's allowance of admin operations by unauthenticated users.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct remote exploitation of public-facing web app via unauthenticated access control bypass on admin endpoints.
NVD Description
Unifiedtransform v2.X is vulnerable to Incorrect Access Control. Unauthorized users can access and manipulate endpoints intended exclusively for administrative use. This issue specifically affects teacher/edit/{id}.
Deeper analysisAI
Unifiedtransform v2.X, an open-source school management system, is affected by CVE-2024-53573, an incorrect access control vulnerability classified under CWE-284. The flaw allows unauthorized users to access and manipulate endpoints intended exclusively for administrative use, with the teacher/edit/{id} endpoint specifically impacted. Assigned a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), it represents a critical risk due to its potential for high-impact unauthorized modifications without requiring authentication or user interaction.
Attackers can exploit this vulnerability remotely over the network with no privileges or special conditions needed. Any unauthenticated user, including external adversaries, can directly access the vulnerable endpoint to view, edit, or delete sensitive teacher information, potentially leading to data tampering, unauthorized privilege escalation within the system, or broader compromise of school administrative functions.
Mitigation details are outlined in advisories available at the following references: https://drive.google.com/file/d/14Or6QIpOeLEqdFm1mwxdE_NNCOwMmcFc/view and https://www.getastra.com/blog/vulnerability/improper-access-control-in-school-management-system-unifiedtransform/. Security practitioners should consult these sources for patching instructions, access control hardening recommendations, and any vendor-provided updates to address the exposure in Unifiedtransform v2.X deployments.
Details
- CWE(s)