CVE-2024-28058 is a vulnerability identified in the RSA NetWitness Platform prior to version 12.5.1. The core issue stems from improper session management: when an administrator revokes a user's access rights, the platform fails to terminate any active sessions associated with that user. Consequently, an internal threat actor with access to the system can continue to use the active session tokens or credentials of the revoked user to impersonate them and gain unauthorized access to sensitive data. This vulnerability is categorized under CWE-276 (Incorrect Default Permissions) and has a CVSS 3.1 base score of 7.5, indicating high severity. The CVSS vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) highlights that the vulnerability is remotely exploitable over the network without requiring privileges or user interaction, and it primarily impacts confidentiality without affecting integrity or availability. The flaw is particularly dangerous in environments where internal threat actors or compromised insiders can exploit lingering sessions to bypass access controls. No patches or exploit code are currently publicly available, but the risk remains significant due to the sensitive nature of data handled by RSA NetWitness, a widely used security monitoring and threat detection platform.

The vulnerability allows unauthorized access to sensitive data by impersonating revoked users with active sessions, severely compromising confidentiality. This can lead to data leakage, unauthorized data exfiltration, and potential exposure of critical security monitoring information. Since the platform is often used for incident detection and response, attackers exploiting this flaw could manipulate or view security logs and alerts, undermining organizational security posture. The risk is amplified in large enterprises and government agencies where RSA NetWitness is deployed extensively. The flaw could facilitate insider threats, lateral movement within networks, and prolonged undetected access. Although integrity and availability are not directly impacted, the breach of confidentiality alone can have cascading effects on trust, compliance, and operational security.

Organizations should upgrade RSA NetWitness Platform to version 12.5.1 or later where this vulnerability is addressed. Until patching is possible, administrators must enforce strict session management policies, including manual termination of active sessions immediately after access revocation. Monitoring for unusual session activity and implementing network segmentation to limit internal threat actor movement can reduce risk. Employ multi-factor authentication and enhanced logging to detect anomalous access patterns. Regular audits of user sessions and access rights should be conducted to identify lingering sessions. Additionally, consider deploying compensating controls such as endpoint detection and response (EDR) tools to monitor for suspicious behavior originating from compromised sessions. Coordination with RSA support for any available hotfixes or workarounds is recommended.