CVE-2024-39327

CVE-2024-39327 is an Incorrect Access Control vulnerability (CWE-284) in Atos Eviden IDRA versions before 2.6.1. The issue enables the possibility of obtaining CA signing capabilities in an illegitimate way, earning a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). Published on 2025-02-18, it affects the IDRA component used in digital identity and PKI environments.

A low-privileged remote attacker (PR:L) can exploit this over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). Exploitation changes scope (S:C) and results in high impacts across confidentiality, integrity, and availability (C:I:A:H), allowing illegitimate CA signing that could lead to privilege escalation, certificate forgery, or broader system compromise.

Advisories recommend updating to Atos Eviden IDRA 2.6.1 or later for mitigation. Relevant guidance appears in the Eviden digital identity solutions page at https://eviden.com/solutions/digital-security/digital-identity/ and Bull PSIRT bulletin PSIRT-1335 (TLP:CLEAR v2.10) at https://support.bull.com/ols/product/security/psirt/security-bulletins/potential-privilege-escalation-in-idpki-psirt-1335-tlp-clear-version-2-10-cve-2024-39327-cve-2024-39328-cve-2024-51505/view, which addresses this CVE alongside CVE-2024-39328 and CVE-2024-51505 in the IDPKI context.