CVE-2024-0336 identifies a Missing Authentication for Critical Function vulnerability (CWE-306) in EMTA Grup's PDKS product, specifically affecting version 3.04 prior to June 3, 2024. The vulnerability arises from incorrectly configured access control security levels, which fail to enforce authentication for certain critical functions within the system. This allows an attacker with low privileges (PR:L) to remotely exploit the system over the network (AV:N) without requiring user interaction (UI:N) or elevated privileges. The vulnerability impacts confidentiality, integrity, and availability at a high level (VC:H, VI:H, VA:H), indicating that an attacker could potentially access sensitive data, alter system configurations, or disrupt services. The scope is high (SC:H), meaning the vulnerability affects components beyond the initially compromised security scope, and the impact is significant across integrity and availability (SI:H, SA:H). The vendor has not provided a patch or responded to early disclosure attempts, increasing the risk for organizations relying on this product. The PDKS system is typically used for workforce management and physical access control, making this vulnerability particularly dangerous as it could allow unauthorized access to physical premises or manipulation of attendance and access records. No known exploits are currently reported in the wild, but the critical nature and ease of exploitation make it a high-risk issue. Organizations should assume active exploitation attempts may emerge soon.

For European organizations, the impact of CVE-2024-0336 is significant, especially for those using EMTA Grup PDKS in environments requiring strict access control such as corporate offices, manufacturing plants, and critical infrastructure facilities. Unauthorized access to critical functions could lead to physical security breaches, manipulation of attendance or access logs, and disruption of operational workflows. This could result in data breaches, insider threat facilitation, and operational downtime. The lack of vendor response and absence of patches exacerbate the risk, forcing organizations to rely on compensating controls. The vulnerability could also undermine compliance with European data protection regulations such as GDPR if personal data managed by PDKS is compromised. Additionally, the potential for lateral movement within networks after exploiting this vulnerability could expose other critical systems to attack, amplifying the overall risk posture.

1. Immediately isolate PDKS systems from public and untrusted networks using network segmentation and firewall rules to limit exposure. 2. Implement strict access control policies restricting access to PDKS management interfaces only to trusted administrators and internal networks. 3. Monitor network traffic and system logs for unusual access patterns or unauthorized attempts to invoke critical functions. 4. Employ multi-factor authentication (MFA) on all administrative accounts interacting with PDKS, if supported. 5. Conduct regular audits of access control configurations and verify that no critical functions are accessible without proper authentication. 6. Prepare incident response plans specifically addressing potential exploitation scenarios of this vulnerability. 7. Engage with EMTA Grup for updates and patches, and subscribe to relevant security advisories. 8. Consider deploying intrusion detection/prevention systems (IDS/IPS) tuned to detect anomalous activities related to PDKS. 9. If feasible, temporarily disable or restrict access to vulnerable functions until a patch is available. 10. Train staff on recognizing and reporting suspicious activities related to access control systems.