CVE-2024-45404 in OpenCTI
Summary
by MITRE • 12/12/2024
OpenCTI is an open-source cyber threat intelligence platform. In versions below 6.2.18, because the function to limit the rate of OTP does not exist, an attacker with valid credentials or a malicious user who commits internal fraud can break through the two-factor authentication and hijack the account. This is because the otpLogin mutation does not implement One Time Password rate limiting. As of time of publication, it is unknown whether a patch is available.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 05/17/2025
The vulnerability identified as CVE-2024-45404 affects OpenCTI, a widely-used open-source cyber threat intelligence platform that enables organizations to collect, analyze, and share threat intelligence data. This platform serves as a critical component in cybersecurity operations centers and threat intelligence workflows, making its security paramount for protecting sensitive threat data and operational capabilities. The vulnerability specifically resides in versions prior to 6.2.18, where a fundamental security control has been omitted that would otherwise prevent unauthorized account access through brute force attacks against the two-factor authentication system. The absence of rate limiting mechanisms in the OTP authentication process creates a significant security gap that can be exploited by determined attackers.
The technical flaw manifests in the otpLogin mutation functionality which lacks proper rate limiting controls to prevent automated brute force attempts against one-time passwords. This vulnerability directly relates to CWE-305 Authentication Bypass Through Multiple Failures, where the system does not adequately protect against repeated authentication attempts that could lead to account compromise. The lack of rate limiting allows an attacker with valid credentials or an internal malicious user to repeatedly attempt OTP code guessing without detection or blocking mechanisms. This weakness in the authentication flow enables account hijacking through bypass of the two-factor authentication protection that should normally prevent unauthorized access even if primary credentials are compromised. The vulnerability is particularly concerning as it operates at the authentication layer where successful exploitation directly results in full account access and potential data compromise.
The operational impact of this vulnerability extends beyond simple account takeover as it undermines the fundamental security posture of organizations using OpenCTI platforms. An attacker who successfully exploits this vulnerability can gain unauthorized access to threat intelligence data, potentially accessing sensitive information about organizational security posture, threat actors, and attack vectors. This compromise could enable advanced persistent threat actors to conduct targeted attacks against the organization's infrastructure, modify threat intelligence data to mislead security operations, or even use the platform as a staging ground for further attacks. The internal fraud aspect of this vulnerability is particularly dangerous as it suggests that malicious insiders with legitimate access could exploit this weakness to escalate privileges or access additional systems beyond their normal operational scope. Organizations relying on OpenCTI for threat intelligence management face potential exposure to both external attackers and insider threats through this authentication bypass vulnerability.
Organizations should immediately implement mitigations including upgrading to OpenCTI version 6.2.18 or later where the rate limiting functionality has been implemented. The mitigation strategy should include monitoring authentication logs for suspicious patterns of failed login attempts that might indicate brute force attacks. Network-level protections such as IP address blocking for excessive failed authentication attempts should be implemented as additional defensive measures. Security teams should also conduct immediate assessments of their OpenCTI deployments to identify any unauthorized access or suspicious activities that might have occurred during the period when this vulnerability was present. From an ATT&CK framework perspective, this vulnerability maps to T1078 Valid Accounts and T1110 Brute Force techniques where adversaries can leverage valid credentials to bypass multi-factor authentication controls. The implementation of rate limiting should follow security best practices outlined in NIST SP 800-63B for authentication and lifecycle management, ensuring that authentication systems are protected against automated attack vectors while maintaining usability for legitimate users.