Cyber Posture

CVE-2024-57490

High

Published: 21 March 2025

Published
21 March 2025
Modified
01 April 2025
KEV Added
Patch
CVSS Score 7.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L
EPSS Score 0.0003 9.3th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-57490 is a high-severity Improper Authentication (CWE-287) vulnerability in Ioffice Ioffice20. Its CVSS base score is 7.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 9.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-2 (Identification and Authentication (Organizational Users)) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

IA-2 Identification and Authentication (Organizational Users) good match
prevent

Mandates unique identification and authentication for organizational users, directly countering the logical flaw enabling unauthorized login to any account including administrator without credentials.

SI-2 Flaw Remediation good match
prevent

Requires timely identification, reporting, and remediation of flaws such as the improper authentication vulnerability in iOffice20, eliminating the exploit path.

AC-3 Access Enforcement partial match
prevent

Enforces approved access authorizations post-authentication, providing a secondary barrier against unauthorized access granted by the authentication bypass.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
Why these techniques?

The improper authentication vulnerability in a network-accessible application directly enables remote exploitation of a public-facing app for initial access (T1190) and exploitation of the software flaw to gain administrator privileges (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Guangzhou Hongfan Technology Co., LTD. iOffice20 has any user login vulnerability. An attacker can log in to any system account including the system administrator through a logical flaw.

Deeper analysisAI

CVE-2024-57490 is an improper authentication vulnerability (CWE-287) in Guangzhou Hongfan Technology Co., LTD.'s iOffice20 software. Published on 2025-03-21 with a CVSS v3.1 base score of 7.7 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L), it stems from a logical flaw that allows unauthorized access to any user account, including the system administrator, without valid credentials.

Remote attackers with network access can exploit this vulnerability despite requiring high attack complexity and no privileges or user interaction. Successful exploitation grants full login access to arbitrary accounts, enabling high-impact confidentiality and integrity violations such as data exfiltration, privilege escalation, and system modification, with low availability disruption.

Advisories and additional details are referenced at https://gist.github.com/NaliangzzZ/44bfcc1d9c2cf275d2b6683ca9e20980 and https://www.ioffice.cn.

Details

CWE(s)
CWE-287

Affected Products

ioffice
ioffice20
all versions

CVEs Like This One

CVE-2025-67158Shared CWE-287
CVE-2026-33665Shared CWE-287
CVE-2026-0405Shared CWE-287
CVE-2025-56333Shared CWE-287
CVE-2026-33898Shared CWE-287
CVE-2025-60772Shared CWE-287
CVE-2026-22594Shared CWE-287
CVE-2026-5570Shared CWE-287
CVE-2025-52395Shared CWE-287
CVE-2025-15484Shared CWE-287

References