CVE-2024-37393
published 2024-06-10CVE-2024-37393: Multiple LDAP injections vulnerabilities exist in SecurEnvoy MFA before 9.4.514 due to improper validation of user-supplied input. An unauthenticated remote…
PriorityP180high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
3.30%
87.0th percentile
Multiple LDAP injections vulnerabilities exist in SecurEnvoy MFA before 9.4.514 due to improper validation of user-supplied input. An unauthenticated remote attacker could exfiltrate data from Active Directory through blind LDAP injection attacks against the DESKTOP service exposed on the /secserver HTTP endpoint. This may include ms-Mcs-AdmPwd, which has a cleartext password for the Local Administrator Password Solution (LAPS) feature.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| securenvoy | multi-factor_authentication_solutions | < 9.4.514 | 9.4.514 |
Detection & IOCsextracted from sources · hover to see the quote
commandFLAG=DESKTOP
1
STATUS:INIT
USERID:{{userid}})(sAMAccountName=*
MEMBEROF:Domain Users
commandFLAG=DESKTOP
1
STATUS:INIT
USERID:*)(sAMAccountName=*
MEMBEROF:Domain Users
- →Monitor POST requests to /secserver/? containing LDAP meta-characters in the USERID field (e.g., ')(sAMAccountName=*) as indicators of blind LDAP injection attempts against the DESKTOP service. ↗
- →Use Shodan/FOFA queries 'title:"SecurEnvoy"' to identify exposed SecurEnvoy MFA instances that may be vulnerable.
- →Exfiltration of the ms-Mcs-AdmPwd Active Directory attribute via LDAP injection yields cleartext LAPS local administrator passwords; monitor AD logs for unusual LDAP queries targeting this attribute. ↗
- ·The vulnerability is unauthenticated and affects SecurEnvoy MFA versions before 9.4.514 only; patched instances (9.4.514+) are not affected. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-m2cr-jxg8-pr4v: Multiple LDAP injections vulnerabilities exist in SecurEnvoy MFA before 9
ghsa_unreviewed·2024-06-10
CVE-2024-37393 [HIGH] CWE-319 GHSA-m2cr-jxg8-pr4v: Multiple LDAP injections vulnerabilities exist in SecurEnvoy MFA before 9
Multiple LDAP injections vulnerabilities exist in SecurEnvoy MFA before 9.4.514 due to improper validation of user-supplied input. An unauthenticated remote attacker could exfiltrate data from Active Directory through blind LDAP injection attacks against the DESKTOP service exposed on the /secserver HTTP endpoint. This may include ms-Mcs-AdmPwd, which has a cleartext password for the Local Administrator Password Solution (LAPS) feature.
VulnCheck
securenvoy multi-factor_authentication_solutions Cleartext Transmission of Sensitive Information
vulncheck·2024·CVSS 7.5
CVE-2024-37393 [HIGH] securenvoy multi-factor_authentication_solutions Cleartext Transmission of Sensitive Information
securenvoy multi-factor_authentication_solutions Cleartext Transmission of Sensitive Information
Multiple LDAP injections vulnerabilities exist in SecurEnvoy MFA before 9.4.514 due to improper validation of user-supplied input. An unauthenticated remote attacker could exfiltrate data from Active Directory through blind LDAP injection attacks against the DESKTOP service exposed on the /secserver HTTP endpoint. This may include ms-Mcs-AdmPwd, which has a cleartext password for the Local Administrator Password Solution (LAPS) feature.
Affected: securenvoy multi-factor_authentication_solutions
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.
No detection rules found.
Nuclei
SecurEnvoy Two Factor Authentication - LDAP Injection
nuclei·CVSS 7.5
CVE-2024-37393 [HIGH] SecurEnvoy Two Factor Authentication - LDAP Injection
SecurEnvoy Two Factor Authentication - LDAP Injection
Multiple LDAP injections vulnerabilities exist in SecurEnvoy MFA before 9.4.514 due to improper validation of user-supplied input. An unauthenticated remote attacker could exfiltrate data from Active Directory through blind LDAP injection attacks against the DESKTOP service exposed on the /secserver HTTP endpoint. This may include ms-Mcs-AdmPwd, which has a cleartext password for the Local Administrator Password Solution (LAPS) feature.
Template:
id: CVE-2024-37393
info:
name: SecurEnvoy Two Factor Authentication - LDAP Injection
author: s4e-io
severity: critical
description: |
Multiple LDAP injections vulnerabilities exist in SecurEnvoy MFA before 9.4.514 due to improper validation of user-supplied input. An unauthenticated remote a
https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-ada2/ad2ce8fa-42a0-4371-ad18-5d1d1c488b22https://securenvoy.com/support/https://www.optistream.io/blogs/tech/securenvoy-cve-2024-37393https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-ada2/ad2ce8fa-42a0-4371-ad18-5d1d1c488b22https://securenvoy.com/support/https://www.optistream.io/blogs/tech/securenvoy-cve-2024-37393
2024-06-10
Published
Exploited in the wild