Cyber Resilience

CVE-2024-54851

HighPublic PoC

Published: 29 January 2025

Published
29 January 2025
Modified
23 May 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0004 11.8th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-54851 is a high-severity CSRF (CWE-352) vulnerability in Sismics Teedy. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-54851 is a Cross-Site Request Forgery (CSRF) vulnerability affecting Teedy versions 1.12 and earlier, stemming from the absence of CSRF protection mechanisms. This flaw, classified under CWE-352, carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high severity due to its network accessibility, low complexity, lack of required privileges, and potential for significant impacts on confidentiality, integrity, and availability.

An unauthenticated attacker (PR:N) can exploit this vulnerability by crafting a malicious webpage or resource that, when visited by an authenticated Teedy user (UI:R), triggers unauthorized requests to the Teedy application. Successful exploitation allows the attacker to perform actions on behalf of the victim user, potentially leading to high-impact outcomes such as data modification, deletion, or unauthorized access, depending on the user's privileges within the Teedy instance.

For mitigation details, refer to the advisory provided in the GitHub repository at https://github.com/Tanguy-Boisset/CVE/blob/master/CVE-2024-54851/README.md, which documents the issue discovered by Tanguy Boisset.

EU & UK References

Vulnerability details

Teedy <= 1.12 is vulnerable to Cross Site Request Forgery (CSRF), due to the lack of CSRF protection.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

CVE-2024-54851 is a CSRF vulnerability in the public-facing Teedy web application, enabling exploitation to perform unauthorized state-changing actions on behalf of authenticated users.

CVEs Like This One

CVE-2025-22963Same product: Sismics Teedy
CVE-2024-54852Same product: Sismics Teedy
CVE-2024-37102Shared CWE-352
CVE-2024-37450Shared CWE-352
CVE-2025-23558Shared CWE-352
CVE-2025-68722Shared CWE-352
CVE-2025-31440Shared CWE-352
CVE-2025-23848Shared CWE-352
CVE-2025-22571Shared CWE-352
CVE-2024-53684Shared CWE-352

Affected Assets

sismics
teedy
≤ 1.12

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SC-23 requires mechanisms to protect the authenticity of communications sessions, such as anti-CSRF tokens, directly addressing the lack of CSRF protection in Teedy.

prevent

SI-2 mandates identification, reporting, and timely correction of system flaws, comprehensively mitigating this CSRF vulnerability through patching or code remediation.

detect

RA-5 requires vulnerability scanning that would identify the CSRF flaw in Teedy during assessments, enabling proactive remediation.

References