CVE-2024-37393 is a critical LDAP injection vulnerability affecting SecurEnvoy Multi-Factor Authentication (MFA) software versions prior to 9.4.514. The root cause is improper validation of user-supplied input in the DESKTOP service exposed on the /secserver HTTP endpoint. This flaw allows an unauthenticated remote attacker to craft specially designed requests that manipulate LDAP queries executed against Active Directory. Through blind LDAP injection, attackers can extract sensitive directory information without direct feedback, including attributes such as ms-Mcs-AdmPwd, which contains cleartext passwords used by Microsoft's Local Administrator Password Solution (LAPS). The vulnerability impacts confidentiality by exposing sensitive credentials, integrity by potentially allowing unauthorized query manipulation, and availability if exploited to disrupt directory services. The attack vector requires no authentication or user interaction, increasing the ease of exploitation. The CVSS v3.1 score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) reflects the critical severity, indicating network attack vector, low complexity, no privileges or user interaction needed, and high impact on confidentiality, integrity, and availability. Although no public exploits are currently reported, the vulnerability poses a significant risk to organizations relying on SecurEnvoy MFA integrated with Active Directory environments. The CWE-89 classification confirms this as an injection flaw, emphasizing the need for proper input validation and sanitization. No official patches were listed at the time of publication, underscoring the urgency for vendor remediation and interim mitigations.

The impact of CVE-2024-37393 is severe for organizations using vulnerable versions of SecurEnvoy MFA integrated with Active Directory. Successful exploitation allows attackers to exfiltrate sensitive directory data, including cleartext local administrator passwords managed by LAPS, which can lead to lateral movement, privilege escalation, and full domain compromise. The exposure of these credentials undermines the security of endpoint devices and critical infrastructure. Additionally, manipulation of LDAP queries could disrupt directory services, affecting availability and operational continuity. Since the attack requires no authentication or user interaction, it can be executed remotely by any attacker with network access to the vulnerable endpoint, increasing the attack surface. This vulnerability threatens confidentiality, integrity, and availability simultaneously, making it a critical risk for enterprises, especially those with high-value assets and regulatory compliance requirements. The lack of known exploits in the wild currently provides a window for proactive defense, but the high severity score indicates that exploitation would have devastating consequences.

To mitigate CVE-2024-37393, organizations should immediately identify and inventory all deployments of SecurEnvoy MFA and verify their versions. Although no official patches were available at the time of disclosure, organizations should monitor vendor communications for updates and apply patches promptly once released. In the interim, restrict network access to the /secserver HTTP endpoint by implementing strict firewall rules, network segmentation, and access control lists to limit exposure to trusted management networks only. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious LDAP injection patterns targeting the vulnerable endpoint. Conduct thorough input validation and sanitization on any custom integrations or proxies interacting with SecurEnvoy MFA services. Regularly audit Active Directory for unusual queries or access patterns, and rotate LAPS passwords frequently to reduce the window of exposure. Implement comprehensive monitoring and alerting for anomalous LDAP activity and unauthorized access attempts. Finally, review and strengthen overall MFA deployment security posture, including minimizing exposed services and enforcing least privilege principles.