CVE-2024-22854 identifies a DOM-based HTML injection vulnerability in the main page of Darktrace Threat Visualizer version 6.1.27 (bundle version 61050) and earlier. This vulnerability arises from improper handling of user-controllable input in the web interface, allowing an attacker to craft a malicious URL that, when visited by an authenticated user, can cause an open redirect and inject arbitrary HTML content into the page's DOM. The injected HTML can include forms designed to phish credentials or other sensitive data from the user. The attack vector requires the victim to be authenticated and to interact by clicking or visiting the malicious URL, which limits the ease of exploitation but still poses a significant risk in environments where users have access to the Threat Visualizer interface. The vulnerability is classified under CWE-601, indicating an open redirect issue, and is scored 4.6 on the CVSS v3.1 scale, reflecting low to medium impact on confidentiality and integrity, with no impact on availability. There are no patches or known exploits publicly available at this time, but the risk of credential theft through social engineering or targeted phishing campaigns is notable. The vulnerability affects a widely used security monitoring product, which could be targeted by attackers seeking to compromise security operations centers or gain access to sensitive network monitoring data.

The primary impact of CVE-2024-22854 is the potential theft of user credentials through phishing attacks facilitated by the open redirect and HTML injection. If an attacker successfully tricks an authenticated user into visiting a crafted URL, they can inject malicious forms that capture sensitive information, potentially leading to unauthorized access to the Darktrace Threat Visualizer or other connected systems. This could compromise the integrity of security monitoring data and reduce the effectiveness of threat detection. While the vulnerability does not directly affect system availability, the loss of credentials or session hijacking could enable further attacks within an organization's network. Organizations relying on Darktrace for security operations could face increased risk of insider threat, espionage, or data breaches if attackers leverage this vulnerability. The requirement for user interaction and authentication reduces the likelihood of widespread automated exploitation but does not eliminate targeted attacks against high-value users such as SOC analysts or administrators.

To mitigate CVE-2024-22854, organizations should first check for and apply any available patches or updates from Darktrace addressing this vulnerability. In the absence of official patches, administrators should implement strict input validation and sanitization on URLs and user-controllable parameters within the Threat Visualizer interface to prevent injection of malicious HTML content. Employ Content Security Policy (CSP) headers to restrict the execution of injected scripts or forms. Educate users, especially SOC personnel, about the risks of clicking on suspicious links and encourage verification of URLs before access. Implement multi-factor authentication (MFA) to reduce the impact of credential theft. Monitor logs for unusual redirect patterns or access attempts involving suspicious URLs. Network segmentation and limiting access to the Threat Visualizer interface to trusted IP ranges can also reduce exposure. Finally, consider deploying web application firewalls (WAFs) with rules to detect and block open redirect and injection attempts targeting this product.