CVE-2024-37775 is an access control vulnerability identified in Sunbird DCIM's dcTrack version 9.1.2. The issue stems from improper enforcement of role-based access control (RBAC) when creating or updating tickets, specifically allowing attackers to specify or modify the location attribute without proper authorization. This bypass occurs because the application fails to validate the user's permissions correctly before permitting changes to ticket locations. The vulnerability is exploitable remotely without authentication or user interaction, increasing its risk profile. The CVSS v3.1 base score is 7.5, reflecting high severity due to the ease of exploitation and the impact on data integrity. While confidentiality and availability remain unaffected, the ability to alter ticket locations can disrupt operational workflows, cause mismanagement of resources, and potentially lead to further security or operational issues. No patches or official fixes were listed at the time of publication, and no active exploitation has been reported. The vulnerability is classified under CWE-863, which concerns incorrect authorization mechanisms that allow unauthorized actions.

The primary impact of CVE-2024-37775 is on the integrity of ticket data within dcTrack, a data center infrastructure management tool. Unauthorized modification of ticket locations can lead to operational confusion, misallocation of resources, and inaccurate tracking of maintenance or incident tickets. This can degrade the reliability of the DCIM system, potentially causing delays in incident response or maintenance activities. For organizations relying heavily on dcTrack for managing critical infrastructure, such data integrity issues could cascade into larger operational disruptions. Although confidentiality and availability are not directly impacted, the integrity compromise could be leveraged as a stepping stone for further attacks or social engineering by creating misleading or fraudulent tickets. The fact that no authentication is required for exploitation increases the risk of widespread abuse, especially in environments where dcTrack is exposed to untrusted networks.

Until an official patch is released, organizations should implement compensating controls such as restricting network access to the dcTrack management interface to trusted IP addresses only, ideally via VPN or internal network segmentation. Monitoring and alerting on unusual ticket creation or modification activities, especially those involving location changes, can help detect exploitation attempts. Administrators should review and tighten RBAC configurations and audit logs regularly to identify unauthorized changes. If possible, temporarily disable or limit ticket creation and updates from untrusted sources. Engage with Sunbird support for updates on patches or hotfixes and apply them promptly once available. Additionally, consider implementing web application firewalls (WAFs) with custom rules to block suspicious requests targeting ticket creation or update endpoints. Conduct security awareness training for staff to recognize and report anomalies in ticketing data.