How to fix CVE-2024-23733?

Within 30 days: Identify all affected systems running login page in the Integration Server in Software AG webMetho and apply vendor patches as part of regular patch cycle. Monitor vendor channels for patch availability.

Is Software AG affected by CVE-2024-23733?

Organizations using login page in the Integration Server in Software AG webMethods 10.15.0 face notable risk from CVE-2024-23733 rated CVSS 7.5. Exploitation could compromise the security of affected deployments. With an EPSS score of 18%, exploitation is likely in exposed deployments.

Software AG CVE-2024-23733

HIGH

Insufficiently Protected Credentials (CWE-522)

2025-01-29 [email protected]

Information Disclosure

7.5

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 18:06 vuln.today

PoC Detected

Jan 31, 2025 - 21:15 vuln.today

Public exploit code

CVE Published

Jan 29, 2025 - 22:15 nvd

HIGH 7.5

DescriptionNVD

The /WmAdmin/,/invoke/vm.server/login login page in the Integration Server in Software AG webMethods 10.15.0 before Core_Fix7 allows remote attackers to reach the administration panel and discover hostname and version information by sending an arbitrary username and a blank password to the /WmAdmin/#/login/ URI.

AnalysisAI

The /WmAdmin/,/invoke/vm.server/login login page in the Integration Server in Software AG webMethods 10.15.0 before Core_Fix7 allows remote attackers to reach the administration panel and discover. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 18.1%.

Technical ContextAI

This vulnerability is classified as Insufficiently Protected Credentials (CWE-522), which allows attackers to obtain user credentials due to weak protection mechanisms. The /WmAdmin/,/invoke/vm.server/login login page in the Integration Server in Software AG webMethods 10.15.0 before Core_Fix7 allows remote attackers to reach the administration panel and discover hostname and version information by sending an arbitrary username and a blank password to the /WmAdmin/#/login/ URI.

Affected ProductsAI

Software AG webMethods 10.15.0.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Hash passwords with strong algorithms (bcrypt, argon2), encrypt credentials in transit and at rest, never log credentials.

CVE-2024-23733 vulnerability details – vuln.today

Back

Software AG CVE-2024-23733

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

Affected ProductsAI

RemediationAI

Share

External POC / Exploit Code