Platform
other
Component
mbconnect24
Opgelost in
2.16.2
8.2.0
8.2.0
2.16.2
CVE-2024-23943 describes a critical vulnerability affecting the mbCONNECT24 Cloud API. This vulnerability allows an unauthenticated remote attacker to gain access to the cloud API due to a lack of authentication for a critical function. Versions 0.0 through 8.2.0 are affected, and a fix is available in version 8.2.0.
The impact of this vulnerability is significant. An attacker can exploit this flaw to access sensitive data and potentially manipulate configurations within the mbCONNECT24 Cloud API without any authentication. This could lead to unauthorized data breaches, system compromise, and disruption of services. The lack of authentication means that any external user can potentially exploit this vulnerability, significantly expanding the attack surface. While availability isn't directly impacted, the compromise of data integrity and confidentiality represents a severe risk.
This vulnerability has a high probability of exploitation (EPSS score pending). The lack of authentication makes it easily exploitable. Public proof-of-concept code is not currently available, but the ease of exploitation suggests it may emerge. The vulnerability was published on 2025-03-18. It is not currently listed on the CISA KEV catalog.
Organizations utilizing mbCONNECT24 Cloud API in their deployments, particularly those with exposed APIs or those lacking robust network segmentation, are at risk. Legacy configurations and deployments without proper access controls are especially vulnerable.
disclosure
Exploit Status
EPSS
0.15% (35% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2024-23943 is to upgrade to version 8.2.0 or later, which includes the necessary authentication controls. If immediate upgrading is not possible, consider implementing temporary workarounds such as restricting network access to the Cloud API to trusted IP addresses only. Implement strict firewall rules to limit external access. Monitor API access logs for any unusual or unauthorized activity. After upgrading, confirm the fix by attempting to access the API without authentication and verifying that access is denied.
Werk mbCONNECT24 bij naar versie 2.16.2 of hoger. Dit corrigeert het gebrek aan authenticatie in de cloud API. Raadpleeg het beveiligingsadvies van de leverancier voor meer details over de update.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2024-23943 is a critical vulnerability in the mbCONNECT24 Cloud API allowing unauthenticated access due to missing authentication controls. It affects versions 0.0 through 8.2.0 and has a CVSS score of 9.1.
If you are using mbCONNECT24 Cloud API versions 0.0 to 8.2.0, you are potentially affected by this vulnerability. Assess your deployment and upgrade immediately.
The recommended fix is to upgrade to version 8.2.0 or later. As a temporary workaround, restrict network access to the API and monitor access logs.
While no active exploitation has been confirmed, the ease of exploitation suggests it may become a target. Monitor your systems and implement mitigations proactively.
Refer to the official mbCONNECT24 security advisory for detailed information and updates regarding CVE-2024-23943.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.