CVE-2024-39341 identifies a vulnerability in Entrust Instant Financial Issuance (On Premise) Software versions 6.8.x and earlier through 6.10.0. After installation, the software leaves a configuration file named WebAPI.cfg.xml accessible via HTTP on port 80 without requiring authentication. This file resides in the IIS webroot directory and can be accessed by guessing the correct path, exposing system configuration parameters. Although sensitive values within the file are encrypted, the exposure of configuration parameter names and encrypted values can provide attackers with valuable information about the system setup. The vulnerability is classified under CWE-290 (Authentication Bypass), as the file is accessible without authentication. The CVSS v3.1 base score is 5.9 (medium severity), reflecting a local attack vector with low complexity, no privileges required, and no user interaction needed. The impact includes potential confidentiality, integrity, and availability risks, as attackers could leverage the disclosed configuration data to plan further attacks or exploit other vulnerabilities. No patches or exploits are currently known, but the presence of this file on publicly accessible HTTP endpoints represents a significant security oversight. The vulnerability primarily affects organizations using Entrust Instant Financial Issuance software on-premise, particularly those exposing HTTP services without adequate access controls.

The vulnerability exposes sensitive configuration data that, while encrypted, can aid attackers in understanding the system architecture and potentially decrypting or exploiting the information. This can lead to information disclosure, which may facilitate privilege escalation, unauthorized access, or disruption of financial issuance services. Since the software is used for financial card issuance, compromise could impact the integrity and availability of critical financial operations, potentially leading to financial fraud or service outages. The attack requires network access to the HTTP port, limiting remote exploitation but still posing a risk within internal networks or if the service is exposed externally. Organizations with inadequate network segmentation or firewall rules are at higher risk. The exposure of configuration files also increases the attack surface for threat actors aiming to map internal systems or identify weak points for further exploitation.

Organizations should immediately verify whether the WebAPI.cfg.xml file exists in the IIS webroot directory and restrict access to it. This can be done by removing the file if it is not needed post-installation or moving it to a non-web-accessible location. Implement strict access controls on HTTP services, including network segmentation and firewall rules to limit access to trusted hosts only. Enforce HTTPS and disable HTTP where possible to prevent interception. Monitor web server logs for unauthorized access attempts to configuration files. Additionally, coordinate with Entrust to obtain any available patches or updated versions that address this issue. If patching is not immediately possible, consider deploying web application firewalls (WAFs) to block requests targeting the configuration file path. Regularly audit and harden IIS configurations to prevent directory traversal or path guessing attacks. Finally, educate system administrators about the risks of leaving sensitive files accessible and enforce secure installation and post-installation procedures.