Platform
other
Component
mbconnect24
Fixed in
2.16.2
8.2.0
8.2.0
2.16.2
CVE-2024-23943 describes a critical vulnerability affecting the mbCONNECT24 Cloud API. This vulnerability allows an unauthenticated remote attacker to gain access to the cloud API due to a lack of authentication for a critical function. Versions 0.0 through 8.2.0 are affected, and a fix is available in version 8.2.0.
The impact of this vulnerability is significant. An attacker can exploit this flaw to access sensitive data and potentially manipulate configurations within the mbCONNECT24 Cloud API without any authentication. This could lead to unauthorized data breaches, system compromise, and disruption of services. The lack of authentication means that any external user can potentially exploit this vulnerability, significantly expanding the attack surface. While availability isn't directly impacted, the compromise of data integrity and confidentiality represents a severe risk.
This vulnerability has a high probability of exploitation (EPSS score pending). The lack of authentication makes it easily exploitable. Public proof-of-concept code is not currently available, but the ease of exploitation suggests it may emerge. The vulnerability was published on 2025-03-18. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.15% (35% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-23943 is to upgrade to version 8.2.0 or later, which includes the necessary authentication controls. If immediate upgrading is not possible, consider implementing temporary workarounds such as restricting network access to the Cloud API to trusted IP addresses only. Implement strict firewall rules to limit external access. Monitor API access logs for any unusual or unauthorized activity. After upgrading, confirm the fix by attempting to access the API without authentication and verifying that access is denied.
Update mbCONNECT24 to version 2.16.2 or later. This corrects the lack of authentication in the cloud API. See the vendor security advisory for more details on the update.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-23943 is a critical vulnerability in the mbCONNECT24 Cloud API allowing unauthenticated access due to missing authentication controls. It affects versions 0.0 through 8.2.0 and has a CVSS score of 9.1.
If you are using mbCONNECT24 Cloud API versions 0.0 to 8.2.0, you are potentially affected by this vulnerability. Assess your deployment and upgrade immediately.
The recommended fix is to upgrade to version 8.2.0 or later. As a temporary workaround, restrict network access to the API and monitor access logs.
While no active exploitation has been confirmed, the ease of exploitation suggests it may become a target. Monitor your systems and implement mitigations proactively.
Refer to the official mbCONNECT24 security advisory for detailed information and updates regarding CVE-2024-23943.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.