cbcvebase.
CVE-2024-26331
published 2024-04-30

CVE-2024-26331: ReCrystallize Server 5.10.0.0 uses a authorization mechanism that relies on the value of a cookie, but it does not bind the cookie value to a session ID…

PriorityP271high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
49.32%
98.7th percentile
ReCrystallize Server 5.10.0.0 uses a authorization mechanism that relies on the value of a cookie, but it does not bind the cookie value to a session ID. Attackers can easily modify the cookie value, within a browser or by implementing client-side code outside of a browser. Attackers can bypass the authentication mechanism by modifying the cookie to contain an expected value.

Detection & IOCsextracted from sources · hover to see the quote

cookieAdminUsername=admin
path/Admin/Admin.aspx
path/RecrystallizeServer/Admin/FileManagement.aspx
path/RecrystallizeServer/
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS ReCrystallize Server Possible Authentication Bypass Attempt via AdminUsername Cookie (CVE-2024-26331)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/RecrystallizeServer/"; startswith; fast_pattern; http.cookie; content:"AdminUsername=admin"; reference:url,sensepost.com/blog/2024/from-discovery-to-disclosure-recrystallize-server-vulnerabilities/; reference:cve,2024-26331; classtype:attempted-admin; sid:2051961; rev:4; metadata:affected_product Web_Server_Applications, created_at 2024_04_09, cve CVE_2024_26331, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_11_26, reviewed_at 2024_10_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS ReCrystallize Server Possible Authentication Bypass Attempt via AdminUsername Cookie (CVE-2024-26331) and Arbitrary File Upload via FileManagement.aspx (CVE-2024-28269)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/RecrystallizeServer/Admin/FileManagement.aspx"; fast_pattern; http.cookie; content:"AdminUsername=admin"; reference:url,sensepost.com/blog/2024/from-discovery-to-disclosure-recrystallize-server-vulnerabilities/; reference:cve,2024-26331; reference:cve,2024-28269; classtype:attempted-admin; sid:2051962; rev:3; metadata:affected_product Web_Server_Applications, created_at 2024_04_09, cve CVE_2024_26331_CVE_2024_28269, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_11_26, reviewed_at 2024_10_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Successful auth bypass produces a response body containing all three strings: 'ReCrystallize Server Administration', 'License Status:', and 'System Info' with HTTP 200.
  • Shodan query 'title:"ReCrystallize"' can be used to identify exposed ReCrystallize Server instances on the internet.
  • The bypass works even when the default password has been changed — the cookie value alone controls access, not the session.
  • The ET rule fires on GET requests to /RecrystallizeServer/ with the AdminUsername=admin cookie (sid:2051961) and on POST requests to /RecrystallizeServer/Admin/FileManagement.aspx with the same cookie (sid:2051962, chained with CVE-2024-28269).
  • ·The vulnerable version is specifically 5.10.0.0; the cookie-based auth mechanism does not bind the cookie value to a session ID, making any client-side cookie manipulation sufficient for bypass.
  • ·The Nuclei template targets /Admin/Admin.aspx directly (not the /RecrystallizeServer/ prefix used in the ET rules); both path variants should be covered in detection logic.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.