CVE-2024-9513
Published: 04 October 2024
Summary
CVE-2024-9513 is a medium-severity Observable Discrepancy (CWE-203) vulnerability in Netadmin Netadmin Iam. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Domain Account (T1087.002); ranked in the top 5.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
A vulnerability identified as CVE-2024-9513 exists in Netadmin Software NetAdmin IAM up to version 3.5 and is classified under CWE-203 as an observable discrepancy issue. It resides in an unknown function within the file /controller/api/Answer/ReturnUserQuestionsFilled of the HTTP POST Request Handler component, where improper handling of the username argument in requests can expose information through differing responses.
The flaw can be triggered remotely by unauthenticated attackers who supply crafted username values in POST requests. Although the attack requires high complexity and is considered difficult to exploit, successful abuse allows disclosure of sensitive details without needing user interaction or elevated privileges.
The vendor was notified prior to public disclosure and has indicated plans to issue a fix in mid-October 2024. Details are available in VulDB entries that document the issue and the forthcoming remediation.
The exploit code has already been made public. The associated EPSS score is currently 0.1361 with no material change from its peak value.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-49978
Vulnerability details
A vulnerability was found in Netadmin Software NetAdmin IAM up to 3.5 and classified as problematic. Affected by this issue is some unknown functionality of the file /controller/api/Answer/ReturnUserQuestionsFilled of the component HTTP POST Request Handler. The manipulation of the argument…
more
username leads to information exposure through discrepancy. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure is planning to release a fix in mid-October 2024.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables remote, unauthenticated enumeration of valid Active Directory domain usernames via observable discrepancies in HTTP responses (200 OK for valid users vs. 500 error for invalid), facilitating Domain Account Discovery.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Misdirection can normalize or falsify responses to eliminate observable discrepancies that aid reconnaissance.
Observable discrepancies in system behavior can be modulated to create covert storage or timing channels; the required analysis detects and constrains such avenues.
Prevents attackers from using observable differences in error responses to infer internal system details or state.