CVE-2024-57395
Published: 29 January 2025
Summary
CVE-2024-57395 is a critical-severity Insufficiently Protected Credentials (CWE-522) vulnerability in Hzzcka (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 12.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2024-57395 is a password vulnerability, tracked under CWE-522, that affects the Safety production process management system version 1.0. The flaw resides in the password and account number parameters and carries a CVSS 3.1 score of 9.8, reflecting network-accessible exploitation with no required authentication or user interaction that can result in privilege escalation, arbitrary code execution, and disclosure of sensitive information.
A remote attacker can supply crafted values to the affected parameters to escalate privileges, run arbitrary code, and retrieve sensitive data from the system.
The EPSS score for this CVE rose from a low baseline to a peak of 0.0551 on 2026-03-09 before receding to the current value of 0.0332, indicating that exploitation interest emerged after public disclosure. The two referenced URLs point to the vendor site and a GitHub proof-of-concept description but contain no published mitigation guidance or patch details.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-53577
Vulnerability details
Password Vulnerability in Safety production process management system v1.0 allows a remote attacker to escalate privileges, execute arbitrary code and obtain sensitive information via the password and account number parameters.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated remote exploitation of public-facing app (CWE-522) directly enables T1190 for initial access and T1068 for resulting privilege escalation/RCE.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
IA-5 mandates secure management and protection of authenticators like passwords, directly countering CWE-522 insufficiently protected credentials exploited via password and account parameters.
SI-10 requires validation of information inputs, preventing remote exploitation of password and account number parameters for privilege escalation, RCE, and data exfiltration.
SI-2 ensures identification, reporting, and timely remediation of flaws like this critical password vulnerability in Safety production process management system v1.0.