Cyber Resilience

CVE-2024-56898

High

Published: 03 February 2025

Published
03 February 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0716 91.8th percentile
Risk Priority 22 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-56898 is a high-severity Improper Access Control (CWE-284) vulnerability. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 8.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2024-56898 is a broken access control vulnerability, tracked under CWE-284, that affects Geovision GV-ASWeb versions 6.1.0.0 and earlier. The flaw carries a CVSS 3.1 base score of 8.8 and permits authenticated low-privilege users to perform actions outside their authorization level.

An attacker with low-privilege network access can exploit the issue without user interaction to escalate privileges and create, modify, or delete accounts, resulting in full compromise of confidentiality, integrity, and availability on the affected system. The single reference URL points to a public GitHub repository but contains no vendor advisory or patch guidance. The associated EPSS score has remained low, with a current value of 0.0716 and a peak of 0.0893.

EU & UK References

Vulnerability details

Broken access control vulnerability in Geovision GV-ASWeb with version v6.1.0.0 or less. This vulnerability allows low privilege users perform actions that they aren't authorized to, which can be leveraged to escalate privileges, create, modify or delete accounts.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1098 Account Manipulation Persistence
Adversaries may manipulate accounts to maintain and/or elevate access to victim systems.
T1136 Create Account Persistence
Adversaries may create an account to maintain access to victim systems.
Why these techniques?

Broken access control directly enables privilege escalation from low-priv accounts (T1068) and unauthorized account creation/modification/deletion (T1098/T1136).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-25950Shared CWE-284
CVE-2025-24968Shared CWE-284
CVE-2026-44730Shared CWE-284
CVE-2025-20341Shared CWE-284
CVE-2024-57378Shared CWE-284
CVE-2025-25585Shared CWE-284
CVE-2026-26417Shared CWE-284
CVE-2026-48898Shared CWE-284
CVE-2026-25176Shared CWE-284
CVE-2026-48899Shared CWE-284

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-3 enforces approved authorizations for access to system resources, directly preventing low-privilege users from performing unauthorized administrative actions like privilege escalation and account management.

prevent

AC-6 applies least privilege to restrict users and processes to only necessary accesses, mitigating privilege escalation by low-privilege users in the vulnerable system.

prevent

AC-2 manages account lifecycle processes including creation, modification, and deletion, ensuring only authorized personnel can perform these actions exploited by the vulnerability.

References