CVE-2024-7872
Published: 06 March 2025
Summary
CVE-2024-7872 is a high-severity Insertion of Sensitive Information Into Sent Data (CWE-201) vulnerability in Gov (inferred from references). Its CVSS base score is 7.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Network Sniffing (T1040); ranked at the 18.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-8 (Transmission Confidentiality and Integrity) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2024-7872 is an Insertion of Sensitive Information Into Sent Data vulnerability (CWE-201) in ExtremePACS Extreme XDS, which allows attackers to retrieve embedded sensitive data. The issue affects Extreme XDS versions prior to 3933. It has a CVSS v3.1 base score of 7.6 (High), with the vector AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L, indicating high confidentiality impact alongside low integrity and availability impacts.
Attackers on an adjacent network (AV:A) can exploit this vulnerability with low complexity (AC:L), no privileges (PR:N), and no user interaction (UI:N) required. Successful exploitation enables retrieval of highly sensitive data embedded in sent transmissions (C:H), with potential for minor integrity modifications (I:L) and service disruptions (A:L), all within the unchanged scope (S:U).
Mitigation involves upgrading to Extreme XDS version 3933 or later. Additional details are available in the advisory at https://www.usom.gov.tr/bildirim/tr-25-0057.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-6108
Vulnerability details
Insertion of Sensitive Information Into Sent Data vulnerability in ExtremePACS Extreme XDS allows Retrieve Embedded Sensitive Data. This issue affects Extreme XDS: before 3933.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability allows retrieval of sensitive data embedded in network transmissions on an adjacent network (AV:A), directly facilitating network sniffing to capture cleartext/sensitive information.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires cryptographic protection of transmitted data to prevent disclosure of sensitive information embedded in network flows, exactly matching the CWE-201 flaw.
Enforces policy-based restrictions on what information may be sent over the network, blocking unauthorized release of embedded sensitive data.
Requires timely remediation of known software flaws, directly addressed by upgrading Extreme XDS to version 3933 or later.