CVE-2024-13090

Privilege escalation in Guardian/CMC before 24.6.0

Severity Score

7.3

*CVSS v4

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

A privilege escalation vulnerability may enable a service account to elevate its privileges. The sudo rules configured for a local service account were excessively permissive, potentially allowing administrative access if a malicious actor could execute arbitrary commands as that account. It is important to note that no such vector has been identified in this instance.

Una vulnerabilidad de escalada de privilegios podría permitir que una cuenta de servicio eleve sus privilegios. Las reglas de sudo configuradas para una cuenta de servicio local eran excesivamente permisivas, lo que podría permitir acceso administrativo si un agente malicioso pudiera ejecutar comandos arbitrarios desde esa cuenta. Es importante destacar que no se ha identificado tal vector en este caso.

*Credits: IOActive found this issue during a VAPT testing session commissioned by one of our customers.

CVSS Scores

Attack Vector

Local

Attack Complexity

High

Attack Requirements

None

Privileges Required

Low

User Interaction

None

System

Vulnerable | Subsequent

Confidentiality

High

None

Integrity

High

None

Availability

High

None

Attack Vector

Local

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

High

Authentication

Single

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

None

Automatable

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2024-12-31 CVE Reserved
2025-06-10 CVE Published
2025-06-10 CVE Updated
2025-06-16 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-250: Execution with Unnecessary Privileges

CAPEC

CAPEC-69: Target Programs with Elevated Privileges
CAPEC-233: Privilege Escalation

References (1)

URL	Tag	Source
https://security.nozominetworks.com/NN-2025:2-01

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Nozomi Networks Search vendor "Nozomi Networks"		Guardian Search vendor "Nozomi Networks" for product "Guardian"				< 24.6.0 Search vendor "Nozomi Networks" for product "Guardian" and version " < 24.6.0"		en		Affected
Nozomi Networks Search vendor "Nozomi Networks"		CMC Search vendor "Nozomi Networks" for product "CMC"				< 24.6.0 Search vendor "Nozomi Networks" for product "CMC" and version " < 24.6.0"		en		Affected