CVE-2024-57490
Published: 21 March 2025
Description
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Security Summary
CVE-2024-57490 is an improper authentication vulnerability (CWE-287) in Guangzhou Hongfan Technology Co., LTD.'s iOffice20 software. Published on 2025-03-21 with a CVSS v3.1 base score of 7.7 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L), it stems from a logical flaw that allows unauthorized access to any user account, including the system administrator, without valid credentials.
Remote attackers with network access can exploit this vulnerability despite requiring high attack complexity and no privileges or user interaction. Successful exploitation grants full login access to arbitrary accounts, enabling high-impact confidentiality and integrity violations such as data exfiltration, privilege escalation, and system modification, with low availability disruption.
Advisories and additional details are referenced at https://gist.github.com/NaliangzzZ/44bfcc1d9c2cf275d2b6683ca9e20980 and https://www.ioffice.cn.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The improper authentication vulnerability in a network-accessible application directly enables remote exploitation of a public-facing app for initial access (T1190) and exploitation of the software flaw to gain administrator privileges (T1068).