Cyber Resilience

CVE-2024-57604

CriticalPublic PoC

Published: 12 February 2025

Published
12 February 2025
Modified
06 June 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0123 79.6th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-57604 is a critical-severity Incorrect Default Permissions (CWE-276) vulnerability in Mayswind Ezbookkeeping. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Brute Force (T1110); ranked in the top 20.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2024-57604 is a privilege escalation vulnerability affecting MaysWind ezBookkeeping version 0.7.0, specifically within the token component. The issue, classified under CWE-276, enables a remote attacker to elevate privileges. It has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low attack complexity, lack of required privileges or user interaction, and high impacts on confidentiality, integrity, and availability.

A remote attacker without prior privileges can exploit this vulnerability over the network with minimal complexity and no user interaction. Successful exploitation allows privilege escalation, potentially granting unauthorized access to sensitive functions or data within the affected ezBookkeeping instance, leading to high-level compromise of confidentiality, integrity, and availability.

Advisories and discussions are available in referenced sources, including a GitHub issue at https://github.com/mayswind/ezbookkeeping/issues/33 and additional details at https://hkohi.ca/vulnerability/2, which may provide further guidance on patches or mitigations. The vulnerability was published on 2025-02-12.

EU & UK References

Vulnerability details

An issue in MaysWind ezBookkeeping 0.7.0 allows a remote attacker to escalate privileges via the token component.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1110 Brute Force Credential Access
Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.
T1110.001 Password Guessing Credential Access
Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts.
Why these techniques?

The vulnerability lacks rate limiting on login and 2FA backup code endpoints, enabling remote brute force attacks to guess credentials and bypass authentication for account takeover and privilege escalation.

CVEs Like This One

CVE-2025-27677Shared CWE-276
CVE-2025-21532Shared CWE-276
CVE-2024-56525Shared CWE-276
CVE-2025-24176Shared CWE-276
CVE-2025-67230Shared CWE-276
CVE-2025-1789Shared CWE-276
CVE-2025-30465Shared CWE-276
CVE-2025-27682Shared CWE-276
CVE-2026-6823Shared CWE-276
CVE-2026-24063Shared CWE-276

Affected Assets

mayswind
ezbookkeeping
0.7.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the CVE by requiring timely identification, reporting, and remediation of the privilege escalation flaw in the ezBookkeeping token component.

prevent

Counters privilege escalation by enforcing least privilege, restricting unauthorized access even if the token component is exploited.

prevent

Requires the system to enforce approved access authorizations, preventing the remote unauthenticated privilege escalation via improper token handling.

References