CVE-2024-54454 identifies a vulnerability in the Kurmi Provisioning Suite, a software product used for managing and provisioning telecommunication services. The flaw exists in the sendPasswordReinitLink action accessible via the unlogged.do page, which is designed to initiate password reset procedures. Due to an Observable Response Discrepancy, the application’s responses differ in a way that allows remote attackers to determine if a given username exists in the system. This side-channel information leak is a form of username enumeration vulnerability (CWE-203). The vulnerability affects multiple versions of the Kurmi Provisioning Suite prior to 7.9.0.35, 7.10.x up to 7.10.0.18, and 7.11.x up to 7.11.0.15. Exploitation requires no authentication or user interaction and can be performed remotely over the network. The CVSS v3.1 base score is 5.3 (medium), reflecting the limited confidentiality impact (disclosure of valid usernames) without affecting integrity or availability. No patches or exploits are currently publicly available, but the vulnerability could be leveraged as a reconnaissance step in targeted attacks, enabling attackers to focus brute force or social engineering efforts on confirmed valid accounts.

The primary impact of CVE-2024-54454 is the disclosure of valid usernames within affected Kurmi Provisioning Suite deployments. While this does not directly compromise sensitive data or system integrity, it significantly aids attackers in crafting targeted attacks such as credential stuffing, brute force password attempts, or phishing campaigns. Organizations relying on Kurmi Provisioning Suite for telecommunication provisioning may face increased risk of account compromise if attackers combine this vulnerability with weak password policies or other vulnerabilities. The vulnerability does not cause denial of service or data modification but reduces the security posture by exposing user enumeration information. This can lead to subsequent attacks that may compromise confidentiality and integrity indirectly. The lack of required authentication or user interaction lowers the barrier to exploitation, increasing the likelihood of reconnaissance activities by malicious actors.

To mitigate CVE-2024-54454, organizations should apply the latest patches or updates from Kurmi as soon as they become available, specifically targeting versions 7.9.0.35 and above, 7.10.x beyond 7.10.0.18, and 7.11.x beyond 7.11.0.15. In the absence of immediate patches, administrators should consider implementing rate limiting and monitoring on the sendPasswordReinitLink endpoint to detect and block automated username enumeration attempts. Additionally, modifying the application response to provide uniform messages regardless of username validity can prevent attackers from distinguishing valid accounts. Employing multi-factor authentication (MFA) reduces the risk of account compromise even if usernames are enumerated. Network-level protections such as web application firewalls (WAFs) can be configured to detect and block suspicious patterns targeting this endpoint. Regular security audits and user awareness training can further reduce the risk of exploitation stemming from username enumeration.