CVE-2024-38648
📛 CVE Title
CVE-2024-38648
Description
A hardcoded secret in Ivanti DSM before 2024.2 allows an authenticated attacker on an adjacent network to decrypt sensitive data including user credentials.
Overview
- State
- PUBLISHED
- Assigner (CNA)
- hackerone
- CVSS severity
- CRITICAL
- CVSS score
- 9.0 / 10
- CVSS vector
CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H- Effective score
- 9.0 / 10 CRITICAL source: CNA overview
- CWE(s)
- —
- Reserved
- 2024-06-19
- Published
- 2025-07-12 05:30 UTC
- Last updated
- 2025-07-14 18:12 UTC
- Source
- https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2024/38xxx/CVE-2024-38648.json
- Linked Threat
- CVE-2024-38648 — CVE-2024-38648
NVD triage scoring NVD CVE 2.0
Layer NVD adds on top of the CNA's CVE record — published / last-modified timestamps, exploitability / impact subscores, and the FIRST.org EPSS probability that this CVE will be exploited in the wild in the next 30 days.
- EPSS score
- 0.0055 (probability of exploitation in next 30 days)
- EPSS percentile
- 41.85% vs all CVEs — higher = more likely to be exploited, as of 2026-06-18
NVD / KEV / EPSS data refreshed 2026-06-19 11:36 UTC. Re-run the 🛰 Backfill from NVD button above to refresh.
European Union Vulnerability Database ENISA EUVD
ENISA's official EU repository for curated vulnerability intelligence. Carries a separate identifier (EUVD-YYYY-NNNN) and frequently exposes an earlier-published description + CVSS than NVD does.
- EUVD ID
-
EUVD-2024-54777 - Assigner
- hackerone
- Published
- Jul 12, 2025, 3:30:40 AM
- Updated
- Jul 14, 2025, 4:12:29 PM
- EUVD base score (CVSS 3.0)
-
9.0 / 10
CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H - EUVD-reported EPSS
- 0.0700
- Vendors
- Ivanti
- Products
-
DSM (2024.2 <2024.2)
- Aliases
-
GHSA-8vv2-mwjj-9vr6
ENISA description: A hardcoded secret in Ivanti DSM before 2024.2 allows an authenticated attacker on an adjacent network to decrypt sensitive data including user credentials.
EUVD references (1)
Affected products (1)
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| Ivanti | DSM |
2024.2 (affected)
|
— |
Remediations (10)
Remediations are stored against the linked Threat row; the list below is deduplicated across both pages.
-
web:blog.talosintelligence.com
Microsoft has released its monthly security update for August 2025, which includes 111 vulnerabilities affecting a range of products, including 13 that Microsoft marked as "critical".
2026-05-22 09:53 UTC -
web:cisa.gov
Update (08/12/2025): CISA has updated this alert to provide clarification on identifying Exchange Servers on an organization's networks and provided further guidance on running the Microsoft Exchange Health Checker. Update (08/07/2025): CISA issued Emergency Directive (ED) 25-02: Mitigate Microsoft Exchange Vulnerability in response to CVE -2025-53786
2026-05-22 09:53 UTC -
web:cybersecuritynews.com
Microsoft's May 2026 Patch Tuesday lands with a heavy enterprise focus, fixing 120 vulnerabilities across Windows, Office, Azure, developer tools, and Microsoft 365 apps, including 29 remote code execution (RCE) flaws rated Critical.
2026-05-22 09:53 UTC -
web:gbhackers.com
Microsoft has released its September 2025 Patch Tuesday update, addressing a total of 81 security vulnerabilities across its product portfolio.
2026-05-22 09:53 UTC -
web:isc.sans.edu
Users should prioritize patching these vulnerabilities to prevent unauthorized code execution. Additionally, the Windows Kerberos Elevation of Privilege Vulnerability ( CVE -2025-53779), a disclosed zero-day, requires high privileges to exploit but could lead to domain administrator access, necessitating careful monitoring and mitigation .
2026-05-22 09:53 UTC -
web:krebsonsecurity.com
The reason is that after the Patch Tuesday on October 14, 2025, Microsoft will stop shipping free security updates for Windows 10 computers.
2026-05-22 09:53 UTC -
web:portal.msrc.microsoft.com
The Security Update Guide provides information on the latest Microsoft security updates, helping users understand and address potential vulnerabilities effectively.
2026-05-22 09:53 UTC -
web:www.lansweeper.com
Which vulnerabilities, issues, and other things did Microsoft update? Discover what's new using Lansweeper's Patch Tuesday August 2025 summary.
2026-05-22 09:53 UTC -
web:www.oracle.com
This Critical Patch Update contains 481 new security patches across the product families listed below. Please note that an MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at April 2026 Critical Patch Update: Executive Summary and Analysis.
2026-05-22 09:53 UTC -
web:www.securityweek.com
Microsoft's August 2025 Patch Tuesday updates address critical vulnerabilities in Windows, Office, and Hyper-V.
2026-05-22 09:53 UTC
Vendor references (1)
References embedded in the original CVE record by the assigning CNA.
MITRE references (1) cveawg.mitre.org
Pulled from MITRE's CVE Services API by the 🛰 Backfill from MITRE button.
Web references (0)
DuckDuckGo results ranked by threat-intel / vendor advisory domains. Generated by the 🔎 Find references (web) button above — same flow as the Remediations search.
No web references attached yet.
AI Forensic Analysis
Only Available for Registered Users. Sign in to view.
Raw JSON
The full cvelistV5 record. Download as CVE-2024-38648.json.
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-38648",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-14T16:11:27.531044Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-798",
"description": "CWE-798 Use of Hard-coded Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-14T16:12:29.434Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "DSM",
"vendor": "Ivanti",
"versions": [
{
"lessThan": "2024.2",
"status": "affected",
"version": "2024.2",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A hardcoded secret in Ivanti DSM before 2024.2 allows an authenticated attacker on an adjacent network to decrypt sensitive data including user credentials."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 9,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-12T03:30:40.276Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"url": "https://forums.ivanti.com/s/article/SA-2024-07-12-CVE-2024-38648"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2024-38648",
"datePublished": "2025-07-12T03:30:40.276Z",
"dateReserved": "2024-06-19T01:04:07.137Z",
"dateUpdated": "2025-07-14T16:12:29.434Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}