External risk intelligence

MISP Export Generation Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2024-25675

MISP is an open-source threat intelligence platform commonly deployed as a web-accessible service to facilitate the sharing of information between organizations. Because it is designed to be a network-reachable application for collaborative data exchange and exports, its web interface is frequently exposed to the internet or wide internal networks.

Misp Project Misp

before 2.4.184

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

An issue has been identified in MISP, a threat intelligence platform, that allows for unauthorized generation of export processes. This vulnerability could potentially expose sensitive data if exploited.

  • Unsecured export generation in threat intelligence platform.
  • Critical issue allows data access and modification.
  • Confirm relevance and exposure of this system.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by sending a specially crafted request to the MISP server. This request does not require authentication or specific user interaction to initiate an export generation process, potentially allowing unauthorized access to or manipulation of exported data.

  • No authentication needed to trigger.
  • Initiates export generation via GET request.
  • Leads to unauthorized data access or modification.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability allows unauthenticated attackers to initiate data export generation processes via a network request, potentially affecting the integrity and availability of system services when supported by the advisory.

  • System data and service behavior at risk.
  • Unauthenticated network requests can trigger exports.
  • Potential for service disruption or unauthorized data access.

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability, affecting MISP's export generation process, requires coordinated action. Application owners are responsible for the MISP instance, while network and security teams must assess external exposure. The first step is to inventory all MISP deployments, determine their reachability and criticality, and identify the specific accountable teams for each instance to plan remediation based on risk.

  • Identify MISP instances and owners.
  • Verify export generation reachability.
  • Plan remediation based on risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is MISP?

MISP is an open-source threat intelligence platform. Security teams use it to collect, correlate, and share indicators of compromise and other security data with partners. It is built as a web-accessible application to support collaborative analysis and information exchange across distributed teams or organizations.

What does CWE-749 mean for CVE-2024-25675?

This vulnerability falls under CWE-749, or Exposed Dangerous Method or Function. In the context of CVE-2024-25675, it means the application inadvertently allows users to trigger a sensitive background process—specifically data export generation—through an improper web interface endpoint. Instead of requiring a secure POST request, the system accepts triggers in a way that allows unauthorized execution of this function.

How is the export generation process triggered?

An attacker triggers this bug by sending a simple, specially crafted network request to the MISP server. Crucially, the system is designed to perform this action even without authentication. Simply visiting or requesting the export endpoint is sufficient to start the process; it does not require a user to be logged in or to interact with the interface in any specific way to initiate the unauthorized export.

Is my MISP instance at risk?

Your risk depends on your network configuration. According to Halo Surface Signal, MISP is commonly deployed as a web-accessible service, meaning it is often placed on the internet or wide internal networks to facilitate data sharing. If your specific instance is reachable over the network to entities outside of your trusted control, it may be exposed to this vulnerability.

What should I do to address this vulnerability?

First, inventory all MISP instances within your environment and identify the teams responsible for managing them. Once you have a clear list, verify which instances are accessible over your network. Prioritize these for updates to the patched version, as the fix involves restricting how the export process is triggered to ensure only authorized actions are permitted.

References