CVE-2024-2464: Application users enumeration in CDeX

Vulnerability detected by me in the CDeX software offered by the company of the same name. This vulnerability occurs during password recovery, where a difference in messages could allow an attacker to determine if the user is valid or not, enabling a brute force attack with valid users.

CVE-2024-2464: Application users enumeration in CDeX


On the software manufacturer’s website, we can read the following product description: “CDeX (Cyber Defense eXercise Platform) is a virtual training platform designed to enhance cyber defense skills and develop cybersecurity technologies. Our advanced cyber offering provides a fully scalable, automated, and hyperrealistic training environment, which allows team members to build competence in the field of cyber defense.”

Vulnerability description

Access to the platform is possible through logging in with SSO (Single Sign-On) or by using login data, including the username and password. If a user forgets their password, they can use the password recovery option. An attacker, by utilizing the password recovery mechanism and analyzing differences in the responses received, can effectively identify users of the application.

Exploitation scenario

The example of exploiting the vulnerability is presented in the following video:


1 February 2024Report sent to CDeX
15 February 2024Report sent to CERT Polska
23 February 2024CDeX confirms the vulnerability exists
11 March 2024CDeX releases a software patch
15 March 2024CERT Polska assigns CVE-2024-2464 to this vulnerability
21 March 2024CERT Polska publishes the vulnerability

How to prevent similar vulnerabilities in your application

It is considerably easier for an attacker to break your authentication mechanisms if you reveal that a user exists on the system. There are even certain situations where, due to the nature of the website, the knowledge that a particular person has an account is sensitive information in itself.

Regardless of whether an attempted username is valid, it is important to use identical, generic error messages, and make sure they really are identical. You should always return the same HTTP status code with each login request and, finally, make the response times in different scenarios as indistinguishable as possible.