CVE-2024-54879
Published: 06 January 2025
Summary
CVE-2024-54879 is a critical-severity Improper Preservation of Permissions (CWE-281) vulnerability in Seacms Seacms. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 9.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Deeper analysis
SeaCMS V13.1 contains an incorrect access control vulnerability (CWE-281) stemming from a logic flaw in its member recharge functionality. The affected component allows unauthorized manipulation of account balances or membership status without proper validation of recharge requests or limits.
An unauthenticated attacker can exploit the flaw over the network with low complexity to indefinitely recharge member accounts. Successful exploitation grants the ability to alter billing and membership data at will, producing high impact on confidentiality and integrity while leaving availability unaffected.
The EPSS score remains flat at 0.0571 with no material increase after disclosure. Public references point to the vendor site and a technical write-up but supply no official patch or mitigation guidance.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-52687
Vulnerability details
SeaCMS V13.1 is vulnerable to Incorrect Access Control. A logic flaw can be exploited by an attacker to allow any user to recharge members indefinitely.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct unauthenticated network exploitation of public-facing SeaCMS web app logic flaw enables indefinite unauthorized account recharging/manipulation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces approved authorizations for access to system resources, directly preventing the logic flaw that allows unauthorized recharging of member accounts.
Explicitly identifies and authorizes only specific actions performable without identification or authentication, blocking unauthenticated recharge exploitation.
Applies least privilege to restrict recharge capabilities to only necessary authorized users or roles, mitigating indefinite unauthorized recharges by any user.