Cyber Resilience

CVE-2024-9513

MediumPublic PoC

Published: 04 October 2024

Published
04 October 2024
Modified
13 November 2024
KEV Added
Patch
CVSS Score v4 6.3 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.1361 94.4th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-9513 is a medium-severity Observable Discrepancy (CWE-203) vulnerability in Netadmin Netadmin Iam. Its CVSS base score is 6.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Domain Account (T1087.002); ranked in the top 5.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

A vulnerability identified as CVE-2024-9513 exists in Netadmin Software NetAdmin IAM up to version 3.5 and is classified under CWE-203 as an observable discrepancy issue. It resides in an unknown function within the file /controller/api/Answer/ReturnUserQuestionsFilled of the HTTP POST Request Handler component, where improper handling of the username argument in requests can expose information through differing responses.

The flaw can be triggered remotely by unauthenticated attackers who supply crafted username values in POST requests. Although the attack requires high complexity and is considered difficult to exploit, successful abuse allows disclosure of sensitive details without needing user interaction or elevated privileges.

The vendor was notified prior to public disclosure and has indicated plans to issue a fix in mid-October 2024. Details are available in VulDB entries that document the issue and the forthcoming remediation.

The exploit code has already been made public. The associated EPSS score is currently 0.1361 with no material change from its peak value.

EU & UK References

Vulnerability details

A vulnerability was found in Netadmin Software NetAdmin IAM up to 3.5 and classified as problematic. Affected by this issue is some unknown functionality of the file /controller/api/Answer/ReturnUserQuestionsFilled of the component HTTP POST Request Handler. The manipulation of the argument…

more

username leads to information exposure through discrepancy. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure is planning to release a fix in mid-October 2024.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1087.002 Domain Account Discovery
Adversaries may attempt to get a listing of domain accounts.
Why these techniques?

The vulnerability enables remote, unauthenticated enumeration of valid Active Directory domain usernames via observable discrepancies in HTTP responses (200 OK for valid users vs. 500 error for invalid), facilitating Domain Account Discovery.

Affected Assets

netadmin
netadmin iam
≤ 3.5

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-203

Misdirection can normalize or falsify responses to eliminate observable discrepancies that aid reconnaissance.

addresses: CWE-203

Observable discrepancies in system behavior can be modulated to create covert storage or timing channels; the required analysis detects and constrains such avenues.

addresses: CWE-203

Prevents attackers from using observable differences in error responses to infer internal system details or state.

References