cbcvebase.
CVE-2024-37393
published 2024-06-10

CVE-2024-37393: Multiple LDAP injections vulnerabilities exist in SecurEnvoy MFA before 9.4.514 due to improper validation of user-supplied input. An unauthenticated remote…

PriorityP180high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
3.30%
87.0th percentile
Multiple LDAP injections vulnerabilities exist in SecurEnvoy MFA before 9.4.514 due to improper validation of user-supplied input. An unauthenticated remote attacker could exfiltrate data from Active Directory through blind LDAP injection attacks against the DESKTOP service exposed on the /secserver HTTP endpoint. This may include ms-Mcs-AdmPwd, which has a cleartext password for the Local Administrator Password Solution (LAPS) feature.

Affected

1 ranges
VendorProductVersion rangeFixed in
securenvoymulti-factor_authentication_solutions< 9.4.5149.4.514

Detection & IOCsextracted from sources · hover to see the quote

path/secserver
commandFLAG=DESKTOP 1 STATUS:INIT USERID:{{userid}})(sAMAccountName=* MEMBEROF:Domain Users
commandFLAG=DESKTOP 1 STATUS:INIT USERID:*)(sAMAccountName=* MEMBEROF:Domain Users
  • Monitor POST requests to /secserver/? containing LDAP meta-characters in the USERID field (e.g., ')(sAMAccountName=*) as indicators of blind LDAP injection attempts against the DESKTOP service.
  • Use Shodan/FOFA queries 'title:"SecurEnvoy"' to identify exposed SecurEnvoy MFA instances that may be vulnerable.
  • Exfiltration of the ms-Mcs-AdmPwd Active Directory attribute via LDAP injection yields cleartext LAPS local administrator passwords; monitor AD logs for unusual LDAP queries targeting this attribute.
  • ·The vulnerability is unauthenticated and affects SecurEnvoy MFA versions before 9.4.514 only; patched instances (9.4.514+) are not affected.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.