CVE-2024-28144 identifies a session fixation vulnerability (CWE-384) in the Scan2Net product by Image Access GmbH. The root cause is a flawed, self-developed session management mechanism that ties user sessions to IP address and User-Agent strings but fails to properly isolate sessions when these parameters are spoofed or shared. An attacker capable of spoofing both the IP address and User-Agent of a legitimate logged-in user can hijack that user's session, effectively taking over their authenticated session without needing credentials. Furthermore, the vulnerability manifests in scenarios where multiple users access the web interface from the same IP address, resulting in session crossover and users being logged in as one another. This indicates a fundamental design flaw in session handling and user authentication logic. The vulnerability does not disclose sensitive data or allow modification of data (no confidentiality or integrity impact), but it causes availability issues by disrupting legitimate user sessions. Exploitation requires the attacker to have network-level capabilities to spoof IP addresses and User-Agent headers, which may limit the attack surface to local networks or environments where IP spoofing is feasible. The CVSS v3.1 score is 5.5, reflecting medium severity with low attack complexity but limited impact scope. No patches or known exploits are currently available, so mitigation relies on network controls and monitoring. The vulnerability was published on December 12, 2024, and affects all versions of Scan2Net as indicated.

For European organizations, this vulnerability poses a risk primarily to availability and operational continuity of Scan2Net devices, which are often used in document scanning and imaging workflows. An attacker exploiting this flaw could disrupt user sessions, causing denial of service or unauthorized session takeover, potentially halting critical document processing tasks. While confidentiality and integrity are not directly compromised, session hijacking could be leveraged as a stepping stone for further attacks if combined with other vulnerabilities or insider threats. Organizations in sectors relying heavily on Scan2Net devices—such as government agencies, legal firms, and large enterprises—may experience workflow interruptions and increased risk of insider impersonation. The requirement for IP and User-Agent spoofing limits remote exploitation but does not eliminate risk in environments with weak network segmentation or where attackers have insider access. The lack of patches means organizations must rely on compensating controls until a fix is released. This vulnerability also raises concerns about the security maturity of the vendor’s session management, potentially impacting trust in the product.

1. Implement strict network segmentation and access controls to limit who can reach Scan2Net devices, reducing the risk of IP spoofing. 2. Deploy network-level anti-spoofing measures such as ingress and egress filtering on routers and switches to prevent attackers from spoofing IP addresses within the network. 3. Monitor web server logs for anomalies in User-Agent strings and IP address changes associated with user sessions to detect potential session hijacking attempts. 4. Enforce multi-factor authentication (MFA) on the Scan2Net web interface if supported, adding an additional layer of security beyond session tokens. 5. Restrict access to Scan2Net interfaces to trusted IP ranges or VPN connections to reduce exposure. 6. Engage with Image Access GmbH to request a security patch or updated firmware addressing the session management flaws. 7. Educate users about the risks of shared IP environments and encourage use of unique network segments or VPNs when accessing Scan2Net devices. 8. Consider deploying web application firewalls (WAFs) that can detect and block suspicious session fixation or spoofing attempts targeting the Scan2Net interface.