Cyber Posture

CVE-2024-9342

Critical

Published: 16 July 2025

Published
16 July 2025
Modified
16 July 2025
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0011 28.7th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-9342 is a critical-severity Improper Restriction of Excessive Authentication Attempts (CWE-307) vulnerability in Eclipse Glassfish. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Password Guessing (T1110.001); ranked at the 28.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-7 (Unsuccessful Logon Attempts) and SC-5 (Denial-of-service Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Password Guessing (T1110.001). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-7 Unsuccessful Logon Attempts good match
prevent

AC-7 enforces limits on the number of consecutive unsuccessful logon attempts, directly preventing brute force attacks enabled by the absence of such restrictions in Eclipse GlassFish.

SC-5 Denial-of-service Protection partial match
prevent

SC-5 protects against denial-of-service impacts from excessive login attempts that could exhaust resources during brute force exploitation of the vulnerable authentication endpoints.

SI-4 System Monitoring partial match
detect

SI-4 monitors for indicators of brute force attacks through detection of anomalous patterns in failed login attempts against the GlassFish server.

MITRE ATT&CK Enterprise TechniquesAI

T1110.001 Password Guessing Credential Access
Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts.
attack.mitre.org →
Why these techniques?

Directly enables unlimited login attempts for password guessing on exposed auth endpoints (CWE-307).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

In Eclipse GlassFish version 7.0.16 or earlier it is possible to perform Login Brute Force attacks as there is no limitation in the number of failed login attempts.

Deeper analysisAI

CVE-2024-9342 affects Eclipse GlassFish version 7.0.16 and earlier, where there is no limitation on the number of failed login attempts, enabling login brute force attacks. This vulnerability, classified under CWE-307 (Improper Restriction of Excessive Authentication Attempts), received a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical due to its network accessibility, low complexity, and lack of prerequisites for exploitation.

Unauthenticated remote attackers can exploit this vulnerability by performing unlimited login attempts against exposed authentication endpoints, potentially guessing valid credentials through brute force if passwords are weak or predictable. Successful exploitation could grant unauthorized access to the application server, resulting in high impacts on confidentiality, integrity, and availability as per the CVSS metrics.

Mitigation details are available in the Eclipse security advisory at https://gitlab.eclipse.org/security/cve-assignement/-/issues/33, published on 2025-07-16.

Details

CWE(s)
CWE-307

Affected Products

eclipse
glassfish
7.0.16

CVEs Like This One

CVE-2025-58587Shared CWE-307
CVE-2026-24436Shared CWE-307
CVE-2025-36363Shared CWE-307
CVE-2026-27521Shared CWE-307
CVE-2026-32292Shared CWE-307
CVE-2025-0726Same vendor: Eclipse
CVE-2026-27778Shared CWE-307
CVE-2026-1188Same vendor: Eclipse
CVE-2026-2332Same vendor: Eclipse
CVE-2026-1699Same vendor: Eclipse

References