Cyber Posture

CVE-2024-56529

High

Published: 28 January 2025

Published
28 January 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N
EPSS Score 0.0013 31.2th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-56529 is a high-severity Session Fixation (CWE-384) vulnerability. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 31.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and AC-12 (Session Termination).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SC-23 Session Authenticity good match
prevent

SC-23 directly mitigates session fixation by requiring mechanisms to protect session authenticity, such as regenerating session identifiers upon authentication.

AC-12 Session Termination partial match
prevent

AC-12 limits the exploitation window by enforcing session termination after defined inactivity periods or events.

AU-14 Session Audit partial match
detect

AU-14 enables auditing of session start/end and events to identify anomalous access indicative of hijacked sessions.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1185 Browser Session Hijacking Collection
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
attack.mitre.org →
Why these techniques?

Session fixation in public-facing web panel directly enables T1190 exploitation and subsequent T1185 browser session hijacking via attacker-controlled session ID after victim login.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Mailcow through 2024-11b has a session fixation vulnerability in the web panel. It allows remote attackers to set a session identifier when HSTS is disabled on a victim's browser. After a user logs in, they are authenticated and the session…

more

identifier is valid. Then, a remote attacker can access the victim's web panel with the same session identifier.

Deeper analysisAI

CVE-2024-56529 is a session fixation vulnerability (CWE-384) in the web panel of Mailcow through version 2024-11b. Published on 2025-01-28, it carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N), indicating network-accessible exploitation with low complexity, no privileges required, and user interaction needed, resulting in low confidentiality impact, high integrity impact, and no availability impact.

Remote attackers without privileges can exploit this vulnerability by setting a session identifier on a victim's browser when HSTS is disabled. After the victim authenticates by logging into the web panel, the session identifier becomes valid for authenticated access, enabling the attacker to hijack the session and access the victim's web panel using the same identifier.

Mitigation details are available in the vendor's security advisory at https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-23c8-4wwr-g3c6.

Details

CWE(s)
CWE-384

CVEs Like This One

CVE-2026-24352Shared CWE-384
CVE-2026-23796Shared CWE-384
CVE-2025-63529Shared CWE-384
CVE-2025-52689Shared CWE-384
CVE-2025-69602Shared CWE-384
CVE-2023-53776Shared CWE-384
CVE-2024-13279Shared CWE-384
CVE-2026-31940Shared CWE-384
CVE-2026-2177Shared CWE-384
CVE-2026-25101Shared CWE-384

References