CVE-2024-54880
Published: 06 January 2025
Summary
CVE-2024-54880 is a critical-severity Improper Preservation of Permissions (CWE-281) vulnerability in Seacms Seacms. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Create Account (T1136); ranked in the top 8.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-3 (Access Enforcement).
Deeper analysis
SeaCMS V13.1 is affected by an incorrect access control vulnerability tracked as CVE-2024-54880 and CWE-281. The flaw arises from a logic error in the registration process that fails to enforce proper restrictions, allowing bulk account creation without authentication.
Unauthenticated remote attackers can exploit the issue over the network with low complexity to register arbitrary numbers of accounts, resulting in high confidentiality and integrity impacts according to the CVSS 9.1 rating. The EPSS score has remained flat at 0.0731 with no indicated rise after disclosure. No mitigation details or patch information appear in the supplied references.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-52688
Vulnerability details
SeaCMS V13.1 is vulnerable to Incorrect Access Control. A logic flaw can be exploited by an attacker to allow any user to register accounts in bulk.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability directly bypasses registration controls enabling bulk account creation (T1136) on a public-facing web app (T1190).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
AC-2 establishes procedures for account creation, approval, and management, directly preventing unauthorized bulk account registrations exploiting the logic flaw.
AC-3 enforces approved access control policies, comprehensively addressing the incorrect access control that permits bulk registrations by any user.
AC-6 applies least privilege to security functions like account creation, limiting the ability of unauthenticated users to perform bulk registrations.