CVE-2024-50619 is a critical vulnerability identified in the CIPPlanner CIPAce software prior to version 9.17, specifically within its My Account and User Management modules. The flaw allows authenticated users with low privileges to manipulate client-side user ID parameters to gain unauthorized access to other users' accounts, effectively bypassing intended access controls. Additionally, attackers can escalate their privileges by altering the attributes of user roles that are disabled on the client side, enabling them to gain higher system privileges than originally assigned. This vulnerability stems from improper authorization checks and insufficient validation of user-supplied data, categorized under CWE-269 (Improper Privilege Management). The CVSS v3.1 base score is 8.8, reflecting a network attack vector with low attack complexity, requiring only low privileges and no user interaction, resulting in high impact on confidentiality, integrity, and availability. Although no public exploits have been reported yet, the vulnerability poses a significant risk due to the ease of exploitation and the potential for complete system compromise. CIPPlanner CIPAce is used in industrial and critical infrastructure planning environments, making the vulnerability particularly concerning for organizations relying on this software for sensitive operational management.

The vulnerability allows attackers to bypass access controls and escalate privileges, potentially leading to unauthorized disclosure of sensitive information, unauthorized modification or deletion of critical data, and disruption of system availability. For organizations, this could mean exposure of confidential operational data, manipulation of user roles to gain administrative control, and possible disruption of industrial or infrastructure planning processes. The impact extends to loss of trust, regulatory penalties, and operational downtime. Given the software’s role in critical infrastructure planning, exploitation could have cascading effects on industrial operations and safety. The ease of exploitation by low-privileged authenticated users increases the risk of insider threats or compromised accounts being leveraged for attacks.

Organizations should immediately upgrade CIPPlanner CIPAce to version 9.17 or later where the vulnerability is addressed. In the absence of a patch, implement strict server-side validation and authorization checks to ensure user IDs and role modifications cannot be tampered with by clients. Employ robust input validation and enforce least privilege principles rigorously. Monitor user activities for suspicious account access patterns or unauthorized privilege escalations. Restrict access to the application to trusted networks and users, and consider multi-factor authentication to reduce risk from compromised credentials. Conduct regular security audits and penetration testing focused on user management components. Additionally, isolate critical infrastructure planning systems from general user environments to limit exposure.