CVE-2024-48952 affects Logpoint SOAR versions prior to 7.5.0 due to the use of a static JSON Web Token (JWT) secret key for token generation. JWTs are commonly used for authentication and authorization in APIs, relying on secret keys to sign tokens securely. In this case, the static secret key is hardcoded or reused, which allows attackers who discover or guess this key to generate valid JWT tokens without needing legitimate credentials. These forged tokens can then be used to access SOAR API endpoints that should require authentication, effectively bypassing security controls. The vulnerability is classified under CWE-306 (Missing Authentication for Critical Function), indicating that critical API functions are exposed without proper authentication mechanisms. The CVSS v3.1 score is 6.4 (medium), with attack vector being adjacent network (AV:A), high attack complexity (AC:H), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), high confidentiality impact (C:H), low integrity impact (I:L), and low availability impact (A:L). This means exploitation requires network proximity but is difficult due to the complexity of obtaining or guessing the static key. The primary risk is unauthorized data disclosure via API access. No patches or exploits are currently publicly available, but the vulnerability represents a significant risk if the static key is compromised or leaked.

The vulnerability allows unauthorized attackers to bypass authentication and access sensitive SOAR API endpoints, potentially exposing confidential security orchestration data and operations. This can lead to unauthorized data disclosure, leakage of incident response workflows, and potential manipulation of SOAR processes. Although integrity and availability impacts are low, the confidentiality breach can undermine an organization's security posture and incident response effectiveness. Organizations relying on Logpoint SOAR for security automation and orchestration may face increased risk of targeted attacks or insider threats exploiting this vulnerability. The requirement for adjacent network access limits remote exploitation but does not eliminate risk in segmented or cloud environments. The absence of known exploits reduces immediate threat but does not preclude future exploitation once the static key is discovered or leaked.

1. Upgrade Logpoint SOAR to version 7.5.0 or later, where this vulnerability is addressed by eliminating the static JWT secret key usage. 2. Restrict network access to SOAR API endpoints using network segmentation, firewalls, or VPNs to limit exposure to trusted hosts only. 3. Monitor SOAR API access logs for anomalous or unauthorized token usage patterns indicative of forged JWT tokens. 4. Implement additional authentication layers or API gateways that enforce dynamic token validation or multi-factor authentication for API access. 5. Rotate any static secrets or keys if possible and audit configurations to ensure no hardcoded secrets remain. 6. Conduct regular security assessments and penetration tests focusing on API authentication mechanisms. 7. Educate security teams about the risks of static secrets and enforce secure development practices to avoid similar issues in future.