2.16.2
8.2.0
8.2.0
2.16.2
CVE-2024-23943 describes a critical vulnerability affecting the mbCONNECT24 Cloud API. This vulnerability allows an unauthenticated remote attacker to gain access to the cloud API due to a lack of authentication for a critical function. Versions 0.0 through 8.2.0 are affected, and a fix is available in version 8.2.0.
The impact of this vulnerability is significant. An attacker can exploit this flaw to access sensitive data and potentially manipulate configurations within the mbCONNECT24 Cloud API without any authentication. This could lead to unauthorized data breaches, system compromise, and disruption of services. The lack of authentication means that any external user can potentially exploit this vulnerability, significantly expanding the attack surface. While availability isn't directly impacted, the compromise of data integrity and confidentiality represents a severe risk.
This vulnerability has a high probability of exploitation (EPSS score pending). The lack of authentication makes it easily exploitable. Public proof-of-concept code is not currently available, but the ease of exploitation suggests it may emerge. The vulnerability was published on 2025-03-18. It is not currently listed on the CISA KEV catalog.
Organizations utilizing mbCONNECT24 Cloud API in their deployments, particularly those with exposed APIs or those lacking robust network segmentation, are at risk. Legacy configurations and deployments without proper access controls are especially vulnerable.
disclosure
漏洞利用状态
EPSS
0.15% (35% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2024-23943 is to upgrade to version 8.2.0 or later, which includes the necessary authentication controls. If immediate upgrading is not possible, consider implementing temporary workarounds such as restricting network access to the Cloud API to trusted IP addresses only. Implement strict firewall rules to limit external access. Monitor API access logs for any unusual or unauthorized activity. After upgrading, confirm the fix by attempting to access the API without authentication and verifying that access is denied.
升级 mbCONNECT24 到 2.16.2 或更高版本。这修复了云 API 中的身份验证不足问题。请参阅供应商的安全公告以获取有关升级的更多详细信息。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2024-23943 is a critical vulnerability in the mbCONNECT24 Cloud API allowing unauthenticated access due to missing authentication controls. It affects versions 0.0 through 8.2.0 and has a CVSS score of 9.1.
If you are using mbCONNECT24 Cloud API versions 0.0 to 8.2.0, you are potentially affected by this vulnerability. Assess your deployment and upgrade immediately.
The recommended fix is to upgrade to version 8.2.0 or later. As a temporary workaround, restrict network access to the API and monitor access logs.
While no active exploitation has been confirmed, the ease of exploitation suggests it may become a target. Monitor your systems and implement mitigations proactively.
Refer to the official mbCONNECT24 security advisory for detailed information and updates regarding CVE-2024-23943.