CVE-2024-27455 is a critical security vulnerability identified in the Bentley ALIM Web application, specifically related to the handling of session tokens during file download operations. Under certain configuration settings, the ALIM Web application inadvertently exposes the user's session token, which is a sensitive authentication credential that maintains the user's logged-in state. This exposure occurs without requiring any user interaction or prior authentication, making it easily exploitable remotely. The vulnerability stems from improper management of session tokens (CWE-613) and the inadvertent exposure of sensitive information (CWE-488) within the web application's download functionality. An attacker who intercepts or obtains the exposed session token can hijack the user's session, gaining unauthorized access to the ALIM Web environment and potentially manipulating or exfiltrating sensitive project data. The vulnerability affects versions of Bentley ALIM Web prior to Assetwise ALIM Web 23.00.04.04 and Assetwise Information Integrity Server 23.00.02.03, where the issue has been addressed. The CVSS v3.1 base score of 9.1 reflects the vulnerability's critical severity, highlighting its network attack vector, low attack complexity, no privileges required, and no user interaction needed. Although no active exploits have been reported in the wild, the risk remains significant due to the nature of the exposed credentials and the potential impact on confidentiality and integrity. Organizations relying on Bentley ALIM Web for asset and project information management should urgently apply the available patches and audit their configuration settings to ensure session tokens are not exposed during file downloads.

The impact of CVE-2024-27455 is substantial for organizations using Bentley ALIM Web applications, especially those managing critical infrastructure, engineering, and asset information. Successful exploitation allows attackers to hijack user sessions by capturing exposed session tokens, leading to unauthorized access to sensitive project data and internal systems. This compromises confidentiality and integrity, enabling data theft, unauthorized modifications, or disruption of workflows. Since no authentication or user interaction is required, the attack surface is broad and can be exploited remotely over the network. The vulnerability could facilitate lateral movement within enterprise environments if attackers leverage compromised sessions to escalate privileges or access additional resources. For organizations in sectors such as construction, utilities, transportation, and manufacturing that rely on Bentley's asset lifecycle information management, the breach could result in operational disruptions, intellectual property loss, regulatory non-compliance, and reputational damage. The absence of known exploits in the wild currently reduces immediate risk but does not diminish the urgency for remediation given the critical severity and ease of exploitation.

To mitigate CVE-2024-27455, organizations should immediately upgrade to Assetwise ALIM Web version 23.00.04.04 and Assetwise Information Integrity Server version 23.00.02.03 or later, where the vulnerability is fixed. In addition to patching, administrators must review and harden configuration settings related to file downloads and session token handling to ensure tokens are never exposed in URLs, headers, or download responses. Implement strict access controls and session management policies, including token expiration and rotation, to minimize the window of opportunity for token reuse. Employ network-level protections such as web application firewalls (WAFs) configured to detect and block anomalous requests that might attempt to exploit token exposure. Enable comprehensive logging and monitoring to detect unusual access patterns or session anomalies indicative of token theft or session hijacking attempts. Educate users about the risks of session token exposure and encourage secure practices, such as logging out after sessions and avoiding use of shared or public networks when accessing ALIM Web. Finally, conduct regular security assessments and penetration testing focused on session management and data exposure vectors to proactively identify and remediate similar issues.