CVE-2024-9334
Published: 27 February 2025
Summary
CVE-2024-9334 is a high-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Gov (inferred from references). Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-5 (Authenticator Management).
Deeper analysis
CVE-2024-9334 is a high-severity vulnerability involving the use of hard-coded credentials (CWE-798) and storage of sensitive data in a mechanism without access control (CWE-921) in E-Kent Pallium Vehicle Tracking software. This flaw enables authentication bypass and affects all versions prior to 17.10.2024. Assigned a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N), it highlights network-accessible exploitation with high confidentiality impact and low integrity impact.
A remote, unauthenticated attacker can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation allows bypassing authentication controls, potentially granting access to sensitive data stored without proper access restrictions and enabling limited integrity modifications.
The primary advisory is available from the Turkish National Cyber Incident Response Center (USOM) at https://www.usom.gov.tr/bildirim/tr-25-0044, published on 2025-02-27. Mitigation involves updating to Pallium Vehicle Tracking version 17.10.2024 or later, as the issue is resolved in that release.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-53949
Vulnerability details
Use of Hard-coded Credentials, Storage of Sensitive Data in a Mechanism without Access Control vulnerability in E-Kent Pallium Vehicle Tracking allows Authentication Bypass. This issue affects Pallium Vehicle Tracking: before 17.10.2024.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Hardcoded credentials enable remote unauthenticated auth bypass on a public-facing app (T1190), allowing use of valid accounts for access (T1078).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prohibits embedding credentials in software, eliminating the hardcoded credentials that enable authentication bypass in Pallium.
Enforces access decisions at runtime rather than allowing bypass via static credentials or unprotected sensitive-data mechanisms.
Requires cryptographic or access-controlled protection of sensitive data at rest, directly addressing the CWE-921 storage flaw.