CVE-2024-30128 in Nomad Server on Domino
Summary
by MITRE • 09/25/2024
HCL Nomad server on Domino is affected by an open proxy vulnerability in which an unauthenticated attacker can mask their original source IP address. This may enable an attacker to trick the user into exposing sensitive information.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 10/30/2025
The vulnerability identified as CVE-2024-30128 affects the HCL Nomad server component within the Domino environment, presenting a critical open proxy flaw that undermines network security controls. This vulnerability specifically targets the server's handling of incoming requests and response routing mechanisms, allowing malicious actors to exploit the proxy functionality without proper authentication. The flaw enables attackers to manipulate the server's IP address resolution and forwarding behavior, creating a dangerous avenue for bypassing security measures and conducting reconnaissance activities. The open proxy vulnerability operates at the network layer, where legitimate server responses are being routed through the vulnerable proxy mechanism, potentially exposing internal systems and sensitive data to unauthorized access. Organizations utilizing HCL Nomad server within their Domino infrastructure face significant risk as this vulnerability can be exploited to mask attacker origins and conduct malicious activities while appearing to originate from legitimate internal sources.
The technical implementation of this vulnerability stems from improper validation of incoming requests within the Nomad server's proxy handling code. Attackers can craft specific requests that cause the server to forward traffic through its proxy mechanism without proper authentication checks or source IP validation. This flaw typically manifests when the server fails to properly distinguish between legitimate internal requests and external malicious probes, creating an opportunity for IP address spoofing and traffic redirection. The vulnerability may be related to insufficient input sanitization and lacks proper access control enforcement mechanisms that should validate the authenticity of request sources before processing proxy requests. According to CWE standards, this represents a variant of CWE-611 Improper Restriction of XML External Entity Reference, though specifically within the context of proxy server implementations where the flaw enables unauthorized access to internal network resources through the compromised proxy functionality.
The operational impact of CVE-2024-30128 extends beyond simple IP address masking, as it creates opportunities for advanced persistent threats to establish covert communication channels and exfiltrate sensitive information. Attackers can leverage this vulnerability to perform network reconnaissance, map internal network topologies, and identify vulnerable internal services that would normally be protected by firewalls and network segmentation. The masking of original source IP addresses makes it extremely difficult for security teams to trace attack origins and implement effective defensive measures. This vulnerability particularly threatens organizations that rely on Domino servers for email and collaboration services, as it can enable attackers to access sensitive business data, user credentials, and internal communications. The open proxy capability allows for the potential exploitation of additional vulnerabilities within the internal network, as attackers can use the compromised server as a pivot point to move laterally across the network infrastructure.
Organizations should implement immediate mitigations including disabling unnecessary proxy functionality, implementing strict access controls and authentication mechanisms, and configuring proper network segmentation to isolate vulnerable Nomad server components. Network monitoring should be enhanced to detect anomalous proxy behavior and unusual traffic patterns that may indicate exploitation attempts. Security patches should be applied promptly once available from HCL, while administrators should review and restrict proxy configurations to only allow legitimate internal requests. The vulnerability aligns with ATT&CK technique T1090.001 Proxying through command and control servers, where the compromised server acts as an intermediary for malicious communications. Additional defensive measures include implementing robust logging and audit trails, deploying intrusion detection systems, and conducting regular security assessments to identify and remediate similar proxy-related vulnerabilities. The mitigation strategy should also include network access control policies that prevent unauthorized access to the Nomad server components and ensure proper firewall rules are in place to restrict external access to proxy functionality.