CVE-2024-43107

High

Published: 10 March 2025

Published

10 March 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 7.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L

EPSS Score 0.0006 19.1th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

Security Summary

CVE-2024-43107 is an Improper Certificate Validation vulnerability (CWE-295) in the Gallagher Milestone Integration Plugin (MIP). The flaw permits unauthenticated messages, such as alarm events, to be sent to the plugin due to inadequate certificate checks. It affects Gallagher MIP Plugin versions 4.0 prior to 4.0.32, as well as all versions of 3.0 and prior.

The vulnerability has a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L), indicating it is exploitable remotely over the network by unauthenticated attackers with low complexity and no user interaction. Attackers can send unauthorized messages to the plugin, achieving low-level impacts on integrity and availability with a changed scope.

The Gallagher security advisory provides further details on mitigation, available at https://security.gallagher.com/en-NZ/Security-Advisories/CVE-2024-43107. Affected systems should be updated to Gallagher MIP Plugin v4.0.32 or later to address the issue.

Details

CWE(s): CWE-295

MITRE ATT&CK Enterprise Techniques

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Improper certificate validation enables remote unauthenticated attackers to send messages to the plugin, directly facilitating exploitation of a public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://security.gallagher.com/en-NZ/Security-Advisories/CVE-2024-43107
disclosures@gallagher.com