CVE-2024-22245 CRITICAL

CVE-2024-22245: Arbitrary Authentication Relay Vulnerability in Deprecated EAP Browser Plugin

Vendor Vmware
Product VMware Enhanced Authentication Plug-in (EAP)
Weakness CWE-287 · Improper authentication
Published February 20, 2024
Last update August 27, 2024

CVSS base score

9.6/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

Arbitrary Authentication Relay and Session Hijack vulnerabilities in the deprecated VMware Enhanced Authentication Plug-in (EAP) could allow a malicious actor that could trick a target domain user with EAP installed in their web browser into requesting and relaying service tickets for arbitrary Active Directory Service Principal Names (SPNs).

Key dates

02Disclosure timeline

February 20, 2024 CVE published
August 27, 2024 Record updated