Cyber Resilience

CVE-2024-9334

HighUpdated

Published: 27 February 2025

Published
27 February 2025
Modified
02 June 2026
KEV Added
Patch
CVSS Score v3.1 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
EPSS Score 0.0005 15.8th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-9334 is a high-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Gov (inferred from references). Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-5 (Authenticator Management).

Deeper analysis

CVE-2024-9334 is a high-severity vulnerability involving the use of hard-coded credentials (CWE-798) and storage of sensitive data in a mechanism without access control (CWE-921) in E-Kent Pallium Vehicle Tracking software. This flaw enables authentication bypass and affects all versions prior to 17.10.2024. Assigned a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N), it highlights network-accessible exploitation with high confidentiality impact and low integrity impact.

A remote, unauthenticated attacker can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation allows bypassing authentication controls, potentially granting access to sensitive data stored without proper access restrictions and enabling limited integrity modifications.

The primary advisory is available from the Turkish National Cyber Incident Response Center (USOM) at https://www.usom.gov.tr/bildirim/tr-25-0044, published on 2025-02-27. Mitigation involves updating to Pallium Vehicle Tracking version 17.10.2024 or later, as the issue is resolved in that release.

EU & UK References

Vulnerability details

Use of Hard-coded Credentials, Storage of Sensitive Data in a Mechanism without Access Control vulnerability in E-Kent Pallium Vehicle Tracking allows Authentication Bypass. This issue affects Pallium Vehicle Tracking: before 17.10.2024.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1078 Valid Accounts Stealth
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
Why these techniques?

Hardcoded credentials enable remote unauthenticated auth bypass on a public-facing app (T1190), allowing use of valid accounts for access (T1078).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-1393Shared CWE-798
CVE-2025-8857Shared CWE-798
CVE-2025-37103Shared CWE-798
CVE-2025-2538Shared CWE-798
CVE-2026-7579Shared CWE-798
CVE-2025-11126Shared CWE-798
CVE-2026-29023Shared CWE-798
CVE-2026-9139Shared CWE-798
CVE-2025-42890Shared CWE-798
CVE-2020-36911Shared CWE-798

Affected Assets

Gov
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prohibits embedding credentials in software, eliminating the hardcoded credentials that enable authentication bypass in Pallium.

prevent

Enforces access decisions at runtime rather than allowing bypass via static credentials or unprotected sensitive-data mechanisms.

prevent

Requires cryptographic or access-controlled protection of sensitive data at rest, directly addressing the CWE-921 storage flaw.

References