CVE-2024-57707

CriticalPublic PoCRCE

Published: 07 February 2025

Published

07 February 2025

Modified

28 March 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0015 35.0th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-57707 is a critical-severity Code Injection (CWE-94) vulnerability in Dataease Dataease. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 35.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Requires validation of user account and password inputs to directly prevent code injection (CWE-94) in DataEase authentication components.

SI-2 Flaw Remediation good match

prevent

Mandates identification, reporting, and remediation of flaws like CVE-2024-57707 to patch the vulnerable code execution path.

SI-16 Memory Protection partial match

prevent

Implements memory protections that mitigate arbitrary code execution resulting from successful injection attacks.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Remote unauthenticated code injection (CWE-94) in public-facing DataEase auth component directly enables T1190 for arbitrary code execution and server takeover.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

An issue in DataEase v1 allows an attacker to execute arbitrary code via the user account and password components.

Deeper analysisAI

CVE-2024-57707 is a critical code injection vulnerability (CWE-94) in DataEase version 1, enabling arbitrary code execution through the user account and password components. Assigned a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), it was published on 2025-02-07 and affects the application's authentication mechanisms, allowing attackers to inject and execute malicious code remotely.

Unauthenticated attackers can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation grants high-impact access, compromising confidentiality, integrity, and availability by executing arbitrary code on the affected DataEase v1 instance, potentially leading to full server takeover.

For mitigation details, refer to the advisory at https://github.com/shigophilo/CVE/blob/main/DataEase-v1-code-execute.md.

Details

CWE(s): CWE-94

Affected Products

dataease

1.0.0

CVEs Like This One

CVE-2025-57772Same product: Dataease Dataease

CVE-2025-58045Same product: Dataease Dataease

CVE-2026-33083Same product: Dataease Dataease

CVE-2026-33082Same product: Dataease Dataease

CVE-2026-33122Same product: Dataease Dataease

CVE-2025-58046Same product: Dataease Dataease

CVE-2025-64164Same product: Dataease Dataease

CVE-2025-64428Same product: Dataease Dataease

CVE-2026-33084Same product: Dataease Dataease

CVE-2025-58748Same product: Dataease Dataease

References

https://github.com/shigophilo/CVE/blob/main/DataEase-v1-code-execute.md
Broken Link, Exploit, Third Party Advisory · cve@mitre.org