CVE-2024-57602
Published: 12 February 2025
Summary
CVE-2024-57602 is a critical-severity Improper Privilege Management (CWE-269) vulnerability in Easyappointments Easyappointments. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 21.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2024-57602 is a privilege escalation vulnerability in Alex Tselegidis EasyAppointments version 1.5.0. The flaw exists in the index.php file, allowing a remote attacker to improperly elevate their access level. It has been assigned a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-269 (Improper Privilege Management), though additional CWE details are unavailable from NVD.
The vulnerability can be exploited by any remote attacker with network access, requiring no authentication privileges, low complexity, and no user interaction. Successful exploitation enables the attacker to gain elevated privileges, resulting in high impacts across confidentiality, integrity, and availability, potentially allowing full compromise of the affected EasyAppointments instance.
Mitigation details are available in the advisory published at https://hkohi.ca/vulnerability/12, which was referenced alongside the CVE disclosure on 2025-02-12. Security practitioners should consult this source for patching instructions or workarounds specific to EasyAppointments v1.5.0.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-53639
Vulnerability details
An issue in Alex Tselegidis EasyAppointments v.1.5.0 allows a remote attacker to escalate privileges via the index.php file.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated privilege escalation in public-facing web app (index.php) directly enables T1068 (Exploitation for Privilege Escalation) and T1190 (Exploit Public-Facing Application).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the privilege escalation vulnerability by requiring timely identification, reporting, and correction of the specific flaw in the index.php file of EasyAppointments v1.5.0.
Enforces approved authorizations for access, directly countering the improper privilege management (CWE-269) that allows unauthenticated remote escalation in the application.
Limits the potential impact of privilege escalation by ensuring processes and users operate with the least privileges necessary, reducing damage from exploitation of the unauthenticated vulnerability.