CVE-2024-26331
published 2024-04-30CVE-2024-26331: ReCrystallize Server 5.10.0.0 uses a authorization mechanism that relies on the value of a cookie, but it does not bind the cookie value to a session ID…
PriorityP271high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
49.32%
98.7th percentile
ReCrystallize Server 5.10.0.0 uses a authorization mechanism that relies on the value of a cookie, but it does not bind the cookie value to a session ID. Attackers can easily modify the cookie value, within a browser or by implementing client-side code outside of a browser. Attackers can bypass the authentication mechanism by modifying the cookie to contain an expected value.
Detection & IOCsextracted from sources · hover to see the quote
path/Admin/Admin.aspx
path/RecrystallizeServer/Admin/FileManagement.aspx
path/RecrystallizeServer/
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS ReCrystallize Server Possible Authentication Bypass Attempt via AdminUsername Cookie (CVE-2024-26331)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/RecrystallizeServer/"; startswith; fast_pattern; http.cookie; content:"AdminUsername=admin"; reference:url,sensepost.com/blog/2024/from-discovery-to-disclosure-recrystallize-server-vulnerabilities/; reference:cve,2024-26331; classtype:attempted-admin; sid:2051961; rev:4; metadata:affected_product Web_Server_Applications, created_at 2024_04_09, cve CVE_2024_26331, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_11_26, reviewed_at 2024_10_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS ReCrystallize Server Possible Authentication Bypass Attempt via AdminUsername Cookie (CVE-2024-26331) and Arbitrary File Upload via FileManagement.aspx (CVE-2024-28269)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/RecrystallizeServer/Admin/FileManagement.aspx"; fast_pattern; http.cookie; content:"AdminUsername=admin"; reference:url,sensepost.com/blog/2024/from-discovery-to-disclosure-recrystallize-server-vulnerabilities/; reference:cve,2024-26331; reference:cve,2024-28269; classtype:attempted-admin; sid:2051962; rev:3; metadata:affected_product Web_Server_Applications, created_at 2024_04_09, cve CVE_2024_26331_CVE_2024_28269, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_11_26, reviewed_at 2024_10_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Successful auth bypass produces a response body containing all three strings: 'ReCrystallize Server Administration', 'License Status:', and 'System Info' with HTTP 200.
- →Shodan query 'title:"ReCrystallize"' can be used to identify exposed ReCrystallize Server instances on the internet.
- →The bypass works even when the default password has been changed — the cookie value alone controls access, not the session.
- →The ET rule fires on GET requests to /RecrystallizeServer/ with the AdminUsername=admin cookie (sid:2051961) and on POST requests to /RecrystallizeServer/Admin/FileManagement.aspx with the same cookie (sid:2051962, chained with CVE-2024-28269).
- ·The vulnerable version is specifically 5.10.0.0; the cookie-based auth mechanism does not bind the cookie value to a session ID, making any client-side cookie manipulation sufficient for bypass. ↗
- ·The Nuclei template targets /Admin/Admin.aspx directly (not the /RecrystallizeServer/ prefix used in the ET rules); both path variants should be covered in detection logic.
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS ReCrystallize Server Possible Authentication Bypass Attempt via AdminUsername Cookie (CVE-2024-26331) and Arbitrary File Upload via FileManagement.aspx (CVE-2024-28269)
suricata·2024-04-09·CVSS 7.5
CVE-2024-26331 [HIGH] ET WEB_SPECIFIC_APPS ReCrystallize Server Possible Authentication Bypass Attempt via AdminUsername Cookie (CVE-2024-26331) and Arbitrary File Upload via FileManagement.aspx (CVE-2024-28269)
ET WEB_SPECIFIC_APPS ReCrystallize Server Possible Authentication Bypass Attempt via AdminUsername Cookie (CVE-2024-26331) and Arbitrary File Upload via FileManagement.aspx (CVE-2024-28269)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS ReCrystallize Server Possible Authentication Bypass Attempt via AdminUsername Cookie (CVE-2024-26331) and Arbitrary File Upload via FileManagement.aspx (CVE-2024-28269)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/RecrystallizeServer/Admin/FileManagement.aspx"; fast_pattern; http.cookie; content:"AdminUsername=admin"; reference:url,sensepost.com/blog/2024/from-discovery-to-disclosure-recrystallize-server-vulnerabilities/; reference:cve,2024-26331; reference:cve,2024-28269; classtype:attempted-admin; s
Suricata
ET WEB_SPECIFIC_APPS ReCrystallize Server Possible Authentication Bypass Attempt via AdminUsername Cookie (CVE-2024-26331)
suricata·2024-04-09·CVSS 7.5
CVE-2024-26331 [HIGH] ET WEB_SPECIFIC_APPS ReCrystallize Server Possible Authentication Bypass Attempt via AdminUsername Cookie (CVE-2024-26331)
ET WEB_SPECIFIC_APPS ReCrystallize Server Possible Authentication Bypass Attempt via AdminUsername Cookie (CVE-2024-26331)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS ReCrystallize Server Possible Authentication Bypass Attempt via AdminUsername Cookie (CVE-2024-26331)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/RecrystallizeServer/"; startswith; fast_pattern; http.cookie; content:"AdminUsername=admin"; reference:url,sensepost.com/blog/2024/from-discovery-to-disclosure-recrystallize-server-vulnerabilities/; reference:cve,2024-26331; classtype:attempted-admin; sid:2051961; rev:4; metadata:affected_product Web_Server_Applications, created_at 2024_04_09, cve CVE_2024_26331, deployment Perimeter, deployment Internal, deployment SSLDecr
Nuclei
ReCrystallize Server - Authentication Bypass
nuclei·CVSS 7.5
CVE-2024-26331 [HIGH] ReCrystallize Server - Authentication Bypass
ReCrystallize Server - Authentication Bypass
This vulnerability allows an attacker to bypass authentication in the ReCrystallize Server application by manipulating the 'AdminUsername' cookie. This gives the attacker administrative access to the application's functionality, even when the default password has been changed.
Template:
id: CVE-2024-26331
info:
name: ReCrystallize Server - Authentication Bypass
author: Carson Chan
severity: high
description: |
This vulnerability allows an attacker to bypass authentication in the ReCrystallize Server application by manipulating the 'AdminUsername' cookie. This gives the attacker administrative access to the application's functionality, even when the default password has been changed.
impact: |
Unauthenticated attackers can bypass authenticati
https://sensepost.com/blog/2024/from-discovery-to-disclosure-recrystallize-server-vulnerabilities/https://www.recrystallize.com/merchant/ReCrystallize-Server-for-Crystal-Reports.htmhttps://sensepost.com/blog/2024/from-discovery-to-disclosure-recrystallize-server-vulnerabilities/https://www.recrystallize.com/merchant/ReCrystallize-Server-for-Crystal-Reports.htm
2024-04-30
Published