Cyber Resilience

CVE-2024-55971

Critical

Published: 23 January 2025

Published
23 January 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0060 70.0th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-55971 is a critical-severity SQL Injection (CWE-89) vulnerability in Logitime WebClock (inferred from references). Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 30.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2024-55971 is a SQL injection vulnerability (CWE-89) present in the default configuration of the Logitime WebClock application, affecting versions up to and including 5.43.0. This flaw enables an unauthenticated user to execute arbitrary code on the backend database server. The vulnerability has been assigned a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), classifying it as critical due to its network accessibility, low attack complexity, lack of required privileges or user interaction, scope change, and high impacts across confidentiality, integrity, and availability.

Any unauthenticated attacker with network access to the vulnerable WebClock instance can exploit this SQL injection flaw without authentication or special privileges. Successful exploitation allows the attacker to run arbitrary SQL commands, potentially leading to full compromise of the backend database server, including data exfiltration, modification, or deletion, as well as potential privilege escalation or lateral movement within the environment.

Mitigation details and further technical information are available in vendor resources and the independent disclosure. Relevant references include the Logitime time-attendance page (https://en.logitime.com/time-attendance/), Dutch Logitime sites (https://nl.logitime.com/ and https://nl.logitime.com/download/webclock-v5-43-0-13-12-2024/), and a detailed disclosure at https://tulling.dev/disclosures/cve-2024-55971/. Security practitioners should review these for patching instructions or configuration hardening guidance specific to WebClock deployments.

EU & UK References

Vulnerability details

SQL Injection vulnerability in the default configuration of the Logitime WebClock application <= 5.43.0 allows an unauthenticated user to run arbitrary code on the backend database server.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct unauthenticated SQL injection in a publicly accessible web application (WebClock) enabling arbitrary database commands and server compromise.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-39334Shared CWE-89
CVE-2024-13488Shared CWE-89
CVE-2026-20002Shared CWE-89
CVE-2025-1446Shared CWE-89
CVE-2025-22699Shared CWE-89
CVE-2026-36232Shared CWE-89
CVE-2026-31871Shared CWE-89
CVE-2026-33078Shared CWE-89
CVE-2026-46359Shared CWE-89
CVE-2025-22691Shared CWE-89

Affected Assets

Logitime
WebClock
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 requires validation of information inputs, directly preventing SQL injection by rejecting or sanitizing malicious SQL payloads in the WebClock application.

prevent

SI-2 mandates timely identification, reporting, and correction of flaws, directly addressing this specific SQL injection vulnerability through patching.

prevent

CM-6 enforces secure configuration settings, mitigating the SQL injection flaw present in the default configuration of Logitime WebClock <= 5.43.0.

References