CVE-2024-25650 is a vulnerability discovered in Delinea's Privileged Access Management (PAM) solution, specifically affecting Secret Server version 11.4 and Distributed Engine version 8.4.3. The core issue lies in an insecure key exchange process between the PAM Secret Server and the Distributed Engine, which communicate via RabbitMQ message queues. The symmetric key used to encrypt RabbitMQ messages can be extracted by a PAM administrator through crafted payloads sent to the /pre-authenticate, /authenticate, and /execute-and-respond REST API endpoints. This key extraction allows the attacker to impersonate the Distributed Engine component, enabling them to intercept and exfiltrate sensitive information from the encrypted RabbitMQ message exchanges. Notably, this attack vector bypasses audit mechanisms within the application, making detection difficult. The vulnerability is classified under CWE-319, indicating that sensitive information is transmitted in cleartext or insufficiently protected during key exchange. The CVSS v3.1 base score is 5.9 (medium severity), reflecting a network attack vector with high attack complexity but no privileges or user interaction required. Although no public exploits are known, the vulnerability poses a significant risk due to the privileged nature of the PAM environment and the sensitivity of the data transmitted. The lack of patches or mitigations currently listed underscores the urgency for organizations to implement compensating controls and monitor for suspicious activity.

The impact of CVE-2024-25650 is significant for organizations relying on Delinea PAM Secret Server and Distributed Engine for privileged access management. By obtaining the symmetric key used for RabbitMQ message encryption, an attacker with PAM administrator privileges can impersonate the Distributed Engine and access sensitive information exchanged within the PAM infrastructure. This can lead to unauthorized disclosure of credentials, secrets, or other confidential data managed by the PAM system. Since the attack bypasses audit logging, it complicates incident detection and response efforts. The compromise of PAM components undermines the security of the entire privileged access ecosystem, potentially enabling lateral movement, privilege escalation, and further compromise of critical systems. Organizations in sectors with high security requirements, such as finance, healthcare, government, and critical infrastructure, face elevated risks. The medium CVSS score reflects the attack complexity and the need for privileged access, but the confidentiality impact is high, making this vulnerability a serious concern for protecting sensitive credentials and secrets.

To mitigate CVE-2024-25650, organizations should take the following specific actions: 1) Immediately review and restrict PAM administrator privileges to the minimum necessary, ensuring that only fully trusted personnel have such access. 2) Monitor and audit REST API endpoint usage, particularly /pre-authenticate, /authenticate, and /execute-and-respond, for anomalous or unexpected requests that could indicate exploitation attempts. 3) Implement network segmentation and strict access controls to limit exposure of the PAM Secret Server and Distributed Engine components, reducing the attack surface. 4) Employ additional encryption or secure transport mechanisms (e.g., TLS with mutual authentication) for communication between PAM components to prevent key interception. 5) Regularly update and patch PAM software once vendor fixes become available; meanwhile, engage with Delinea support for any recommended interim mitigations or workarounds. 6) Conduct thorough security assessments and penetration testing focused on PAM infrastructure to identify and remediate related weaknesses. 7) Enhance logging and alerting capabilities to detect impersonation or unauthorized message access attempts, compensating for the lack of native audit coverage in this attack scenario.