CVE-2024-23733

CVE-2024-23733 is an information disclosure vulnerability in the Integration Server component of Software AG webMethods version 10.15.0 prior to Core_Fix7. Specifically, the /WmAdmin/ and /invoke/vm.server/login pages allow remote attackers to bypass authentication restrictions on the administration panel. By submitting an arbitrary username paired with a blank password to the /WmAdmin/#/login/ URI, attackers can access the panel and retrieve sensitive details including the server's hostname and version information. The flaw is mapped to CWE-522 (Insufficiently Protected Credentials) and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with no impairment to integrity or availability.

Unauthenticated remote attackers can exploit this vulnerability over the network with low attack complexity and no user interaction required. Exploitation simply involves sending a crafted login request to the vulnerable URI, granting immediate access to the administration interface where hostname and version data are exposed. This reconnaissance enables attackers to map the target's environment, potentially aiding in subsequent exploits tailored to the discovered software version or infrastructure details.

The vulnerability is mitigated by upgrading to Core_Fix7 or later in Software AG webMethods 10.15.0. Further technical details, including a proof-of-concept, are documented in the GitHub repository at https://github.com/ekcrsm/CVE-2024-23733/tree/main.