CVE-2023-29656 in Mobile App
Summary
by MITRE • 07/06/2023
An improper authorization vulnerability in Darktrace mobile app (Android) prior to version 6.0.15 allows disabled and low-privilege users to control "antigena" actions(block/unblock traffic) from the mobile application. This vulnerability could create a "shutdown", blocking all ingress or egress traffic in the entire infrastructure where darktrace agents are deployed.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 12/11/2025
The vulnerability identified as CVE-2023-29656 represents a critical authorization flaw within the Darktrace mobile application for Android platforms. This issue affects versions prior to 6.0.15 and demonstrates a fundamental failure in access control mechanisms that allows users with minimal privileges to execute high-impact administrative functions. The flaw specifically enables disabled and low-privilege users to manipulate antigena actions, which govern traffic blocking and unblocking capabilities within the network infrastructure. From a cybersecurity perspective, this represents a severe privilege escalation vulnerability that directly violates the principle of least privilege and could enable unauthorized users to gain significant control over network operations.
The technical implementation of this vulnerability stems from inadequate authorization checks within the mobile application's user interface components. When users interact with the antigena functionality through the mobile app, the system fails to properly validate user credentials or roles before executing traffic control operations. This improper authorization mechanism creates an attack surface where users without proper administrative privileges can manipulate network traffic policies. The vulnerability manifests as a lack of proper session validation and role-based access controls, allowing malicious or compromised low-privilege accounts to perform actions typically restricted to administrators. The flaw operates at the application layer and specifically affects the Android mobile client's interface for managing Darktrace agents deployed throughout enterprise networks.
The operational impact of this vulnerability extends far beyond simple unauthorized access, creating a potential for complete network disruption. When low-privilege users can execute antigena actions, they gain the ability to implement "shutdown" commands that block all ingress or egress traffic across the entire infrastructure where Darktrace agents are deployed. This capability essentially allows attackers to perform network denial-of-service attacks against their own organization's infrastructure, potentially causing widespread operational disruption. The vulnerability's severity is amplified by the fact that Darktrace agents are typically deployed across critical network segments, meaning a single compromised account could affect the entire enterprise network. This aligns with ATT&CK technique T1499.004 for network denial-of-service attacks and represents a significant compromise of network availability and business continuity.
Organizations utilizing Darktrace mobile applications must implement immediate mitigations to address this vulnerability, including mandatory updates to version 6.0.15 or later where the authorization flaw has been patched. Network administrators should also implement additional monitoring for unauthorized antigena actions and establish strict access controls for mobile application usage. The vulnerability demonstrates the importance of proper authorization validation in mobile applications and highlights the need for comprehensive security testing of administrative interfaces. Security teams should also consider implementing network segmentation and additional logging mechanisms to detect and respond to unauthorized traffic control operations. This issue aligns with CWE-285, which addresses improper authorization, and represents a critical gap in the security architecture that requires immediate remediation to prevent potential exploitation that could result in significant operational impact and potential data exposure.