Cyber Resilience

CVE-2024-57032

CriticalPublic PoC

Published: 17 January 2025

Published
17 January 2025
Modified
19 March 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0077 74.0th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-57032 is a critical-severity Incorrect Authorization (CWE-863) vulnerability in Wegia Wegia. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Account Manipulation (T1098); ranked in the top 26.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-5 (Authenticator Management).

Deeper analysis

CVE-2024-57032 is an incorrect access control vulnerability in WeGIA versions prior to 3.2.0, specifically within the controle/control.php component. The flaw arises because the application does not properly validate the value provided in the 'senha_antiga' (old password) field during password change operations. This allows arbitrary password modifications without knowledge of the existing password. The issue is associated with CWE-863 (Incorrect Authorization) and CWE-284 (Improper Access Control), earning a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Unauthenticated remote attackers can exploit this vulnerability over the network with low complexity and no user interaction required. By submitting a crafted request to controle/control.php with any value in the senha_antiga field, attackers can change the password of any user account, potentially compromising administrative privileges and leading to high impacts on confidentiality, integrity, and availability.

Mitigation involves upgrading to WeGIA 3.2.0 or later, as versions prior to this release remain vulnerable. Further technical details and reproduction steps are documented in the vulnerability research repository at https://github.com/nmmorette/vulnerability-research/blob/main/CVE-2024-57032, with additional information available on the official WeGIA site at https://www.wegia.org/.

EU & UK References

Vulnerability details

WeGIA < 3.2.0 is vulnerable to Incorrect Access Control in controle/control.php. The application does not validate the value of the old password, so it is possible to change the password by placing any value in the senha_antiga field.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1098 Account Manipulation Persistence
Adversaries may manipulate accounts to maintain and/or elevate access to victim systems.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Incorrect access control in the password change functionality enables unauthorized account manipulation (T1098) by allowing password changes without validating the old password, exploited via a public-facing web application (T1190).

CVEs Like This One

CVE-2025-30361Same product: Wegia Wegia
CVE-2025-26609Same product: Wegia Wegia
CVE-2025-26617Same product: Wegia Wegia
CVE-2025-26608Same product: Wegia Wegia
CVE-2025-26607Same product: Wegia Wegia
CVE-2025-26611Same product: Wegia Wegia
CVE-2025-26615Same product: Wegia Wegia
CVE-2025-26616Same product: Wegia Wegia
CVE-2025-26606Same product: Wegia Wegia
CVE-2025-26613Same product: Wegia Wegia

Affected Assets

wegia
wegia
≤ 3.2.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-3 enforces approved authorizations for access to system resources, directly mitigating the incorrect access control in controle/control.php that allows unauthenticated password changes.

prevent

IA-5 requires secure management of authenticators including verification of existing passwords during changes, preventing arbitrary modifications without knowledge of the old password.

prevent

SI-10 mandates validation of critical inputs like the senha_antiga field, addressing the lack of old password verification in password change operations.

References