NN-2025:2-01
Privilege escalation in Guardian/CMC before 24.6.0
Last update: 2025-06-10
| Advisory ID | NN-2025:2-01 |
|---|---|
| Topic | Privilege escalation in Guardian/CMC before 24.6.0 |
| CWE Impact | CWE-250: Execution with Unnecessary Privileges |
| Issue date | 2025-06-10 |
| Affects | Guardian, CMC < v24.6.0 |
| CVE Name(s) | CVE-2024-13090 |
| CVSS Details | CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |
| CVSS Score | 7.3 (CVSS v4.0) 7.0 (CVSS v3.1) |
| CVE Risk Level | High (CVSS v4.0) High (CVSS v3.1) |
| Risk Level for Nozomi customers | Medium |
Summary
A privilege escalation vulnerability may enable a service account to elevate its privileges.
Impact
The sudo rules configured for a local service account were excessively permissive, potentially allowing administrative access if a malicious actor could execute arbitrary commands as that account. It is important to note that no such vector has been identified in this instance.
Affected Products
Guardian, CMC < v24.6.0
Workarounds and Mitigations
N/A
Solutions
Upgrade to v24.6.0 or later.
Modification History
2025-06-10: Initial revision
Related Links
Acknowledgements
We thank the following parties for their efforts:
- IOActive for finding this issue during a VAPT testing session commissioned by one of our customers
Contact
Nozomi Networks Product Security team can be reached at prodsec@nozominetworks.com.More contact details on the PSIRT page.