CVE-2024-24720 is a medium-severity vulnerability identified in the Forgot Password function of Innovaphone PBX devices prior to version 14r1. The vulnerability allows an attacker to determine whether a specific user exists on the system by exploiting the information disclosure behavior of the password recovery mechanism. Specifically, the Forgot Password function leaks user existence information, which constitutes an information disclosure vulnerability categorized under CWE-200. The vulnerability has a CVSS v3.1 base score of 5.3, indicating a medium impact. The attack vector is network-based (AV:N), requires no privileges (PR:N), and no user interaction (UI:N). The impact is limited to confidentiality (C:L), with no effect on integrity or availability. No known exploits are currently reported in the wild, and no patches or vendor advisories are provided in the available data. This vulnerability can be leveraged by attackers to enumerate valid usernames on the Innovaphone PBX system, which can facilitate further targeted attacks such as brute force password attempts, social engineering, or phishing campaigns. Given that PBX systems are critical telephony infrastructure components, unauthorized access or reconnaissance can lead to significant operational disruptions or privacy violations if combined with other vulnerabilities or attack vectors.

For European organizations using Innovaphone PBX devices, this vulnerability poses a risk primarily related to user enumeration and information disclosure. While the direct impact is limited to revealing valid usernames, this information can be a stepping stone for more severe attacks, including credential stuffing or targeted phishing. Organizations relying on these PBX systems for internal and external communications could face increased risk of unauthorized access attempts or social engineering attacks. The confidentiality breach could expose sensitive user identity information, potentially violating data protection regulations such as GDPR if personal data is involved. Although the vulnerability does not directly compromise system integrity or availability, the reconnaissance capability it provides can facilitate subsequent attacks that might disrupt telephony services or lead to fraud. The lack of known exploits reduces immediate risk, but the ease of exploitation (no authentication or user interaction required) means attackers could automate user enumeration at scale, increasing the threat surface.

To mitigate this vulnerability, European organizations should first verify if their Innovaphone PBX devices are running versions prior to 14r1 and plan an upgrade to version 14r1 or later where this issue is presumably resolved. In the absence of an official patch, organizations can implement the following practical measures: 1) Restrict access to the Forgot Password function by limiting it to trusted networks or VPNs to reduce exposure to external attackers. 2) Implement rate limiting and monitoring on the password recovery endpoint to detect and block automated user enumeration attempts. 3) Customize or harden the Forgot Password workflow to provide generic responses that do not reveal user existence information, if the system allows configuration. 4) Enhance logging and alerting on authentication and password recovery requests to identify suspicious activity early. 5) Conduct user awareness training to mitigate risks from phishing or social engineering that could leverage leaked user information. 6) Review and enforce strong password policies and multi-factor authentication (MFA) on PBX user accounts to reduce the risk of credential compromise following user enumeration.