Cyber Resilience

CVE-2026-24664

MediumPublic PoC

Published: 03 February 2026

Published
03 February 2026
Modified
10 February 2026
KEV Added
Patch
CVSS Score v3.1 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS Score 0.0010 27.8th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-24664 is a medium-severity Observable Response Discrepancy (CWE-204) vulnerability in Gunet Open Eclass Platform. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Credentials (T1589.001); ranked at the 27.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

EU & UK References

Vulnerability details

The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a username enumeration vulnerability allows unauthenticated attackers to identify valid user accounts by analyzing differences in the login response behavior. This…

more

issue has been patched in version 4.2.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1589.001 Credentials Reconnaissance
Adversaries may gather credentials that can be used during targeting.
T1110 Brute Force Credential Access
Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.
Why these techniques?

Username enumeration via login response differences directly enables gathering valid account identities (T1589.001) and facilitates subsequent brute-force or credential-stuffing attempts (T1110).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

Affected Assets

gunet
open eclass platform
≤ 4.2

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-204

Fake or randomized responses remove distinguishable success/failure signals attackers rely on.

addresses: CWE-204

Eliminates distinguishable response discrepancies in error conditions that could be exploited for reconnaissance.

References