CVE-2024-23733

HIGH

Software AG webMethods <10.15.0 - Info Disclosure

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2024-23733. PoCs published by Rasime Ekici, ekcrsm.

AI-analyzed exploit summary This exploit describes an authentication bypass vulnerability in WebMethods Integration Server 10.15.0.0000-0092, allowing remote attackers to access the administration panel and discover server hostname, version information, and administrative API endpoints by sending a dummy username with a blank password.

Description

The /WmAdmin/,/invoke/vm.server/login login page in the Integration Server in Software AG webMethods 10.15.0 before Core_Fix7 allows remote attackers to reach the administration panel and discover hostname and version information by sending an arbitrary username and a blank password to the /WmAdmin/#/login/ URI.

Exploits (2)

exploitdb WRITEUP
by Rasime Ekici · textremotewindows
https://www.exploit-db.com/exploits/52237

This exploit describes an authentication bypass vulnerability in WebMethods Integration Server 10.15.0.0000-0092, allowing remote attackers to access the administration panel and discover server hostname, version information, and administrative API endpoints by sending a dummy username with a blank password.

Classification
Writeup 90%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: Software AG webMethods Integration Server 10.15.0 before Core Fix7
No auth needed
Prerequisites: Network access to the target server · WebMethods Integration Server 10.15.0.0000-0092 without Core Fix7
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WRITEUP
by ekcrsm · poc
https://github.com/ekcrsm/CVE-2024-23733

The repository describes an incorrect access control vulnerability in Software AG webMethods API Integration Server 10.15.0, where sending a blank password with an arbitrary username allows access to the administrative dashboard, exposing hostname and version information. The writeup provides technical details about the affected components and attack vectors.

Classification
Writeup 90%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: Software AG webMethods API Integration Server 10.15.0
No auth needed
Prerequisites: Access to the /WmAdmin/#/login/ URI · Ability to send HTTP requests
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (1)

Core 1

Scores

CVSS v3 7.5
EPSS 0.1810
EPSS Percentile 95.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

CWE
CWE-522
Status published
Published Jan 29, 2025
Tracked Since Feb 18, 2026