// For flags

CVE-2024-13090

Privilege escalation in Guardian/CMC before 24.6.0

Severity Score

7.3
*CVSS v4

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Track*
*SSVC
Descriptions

A privilege escalation vulnerability may enable a service account to elevate its privileges. The sudo rules configured for a local service account were excessively permissive, potentially allowing administrative access if a malicious actor could execute arbitrary commands as that account. It is important to note that no such vector has been identified in this instance.

Una vulnerabilidad de escalada de privilegios podría permitir que una cuenta de servicio eleve sus privilegios. Las reglas de sudo configuradas para una cuenta de servicio local eran excesivamente permisivas, lo que podría permitir acceso administrativo si un agente malicioso pudiera ejecutar comandos arbitrarios desde esa cuenta. Es importante destacar que no se ha identificado tal vector en este caso.

*Credits: IOActive found this issue during a VAPT testing session commissioned by one of our customers.
CVSS Scores
Attack Vector
Local
Attack Complexity
High
Attack Requirements
None
Privileges Required
Low
User Interaction
None
System
Vulnerable | Subsequent
Confidentiality
High
None
Integrity
High
None
Availability
High
None
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Local
Attack Complexity
High
Authentication
Single
Confidentiality
Complete
Integrity
Complete
Availability
Complete
* Common Vulnerability Scoring System
SSVC
  • Decision:Track*
Exploitation
None
Automatable
No
Tech. Impact
Total
* Organization's Worst-case Scenario
Timeline
  • 2024-12-31 CVE Reserved
  • 2025-06-10 CVE Published
  • 2025-06-10 CVE Updated
  • 2025-06-16 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-250: Execution with Unnecessary Privileges
CAPEC
  • CAPEC-69: Target Programs with Elevated Privileges
  • CAPEC-233: Privilege Escalation
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Nozomi Networks
Search vendor "Nozomi Networks"
Guardian
Search vendor "Nozomi Networks" for product "Guardian"
< 24.6.0
Search vendor "Nozomi Networks" for product "Guardian" and version " < 24.6.0"
en
Affected
Nozomi Networks
Search vendor "Nozomi Networks"
CMC
Search vendor "Nozomi Networks" for product "CMC"
< 24.6.0
Search vendor "Nozomi Networks" for product "CMC" and version " < 24.6.0"
en
Affected