Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2024-13058

Summary
Assigner-SoftIron
Assigner Org ID-0a72a055-908d-47f5-a16a-1f09049c16c6
Published At-30 Dec, 2024 | 22:08
Updated At-29 Aug, 2025 | 18:46
Rejected At-
Credits

Authenticated, non-admin users can create storage pools via the sifi API

An issue exists in SoftIron HyperCloud where authenticated, but non-admin users can create data pools, which could potentially impact the performance and availability of the backend software-defined storage subsystem. This issue only impacts SoftIron HyperCloud and related software products (such as VM Squared) software versions 2.3.0 to before 2.5.0.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:SoftIron
Assigner Org ID:0a72a055-908d-47f5-a16a-1f09049c16c6
Published At:30 Dec, 2024 | 22:08
Updated At:29 Aug, 2025 | 18:46
Rejected At:
▼CVE Numbering Authority (CNA)
Authenticated, non-admin users can create storage pools via the sifi API

An issue exists in SoftIron HyperCloud where authenticated, but non-admin users can create data pools, which could potentially impact the performance and availability of the backend software-defined storage subsystem. This issue only impacts SoftIron HyperCloud and related software products (such as VM Squared) software versions 2.3.0 to before 2.5.0.

Affected Products
Vendor
SoftIron
Product
HyperCloud
Default Status
unaffected
Versions
Affected
  • From 2.3.0 before 2.5.0 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-269CWE-269 Improper Privilege Management
CWECWE-400CWE-400 Uncontrolled Resource Consumption
CWECWE-285CWE-285 Improper Authorization
Type: CWE
CWE ID: CWE-269
Description: CWE-269 Improper Privilege Management
Type: CWE
CWE ID: CWE-400
Description: CWE-400 Uncontrolled Resource Consumption
Type: CWE
CWE ID: CWE-285
Description: CWE-285 Improper Authorization
Metrics
VersionBase scoreBase severityVector
4.04.8MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:N/SI:N/SA:L/S:N/AU:Y/R:U/V:D/RE:M/U:Green
Version: 4.0
Base score: 4.8
Base severity: MEDIUM
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:N/SI:N/SA:L/S:N/AU:Y/R:U/V:D/RE:M/U:Green
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-1CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs
CAPEC-58CAPEC-58 Restful Privilege Elevation
CAPEC-122CAPEC-122 Privilege Abuse
CAPEC ID: CAPEC-1
Description: CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs
CAPEC ID: CAPEC-58
Description: CAPEC-58 Restful Privilege Elevation
CAPEC ID: CAPEC-122
Description: CAPEC-122 Privilege Abuse
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://advisories.softiron.cloud/
N/A
Hyperlink: https://advisories.softiron.cloud/
Resource: N/A
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:0a72a055-908d-47f5-a16a-1f09049c16c6
Published At:30 Dec, 2024 | 22:15
Updated At:29 Aug, 2025 | 19:15

An issue exists in SoftIron HyperCloud where authenticated, but non-admin users can create data pools, which could potentially impact the performance and availability of the backend software-defined storage subsystem. This issue only impacts SoftIron HyperCloud and related software products (such as VM Squared) software versions 2.3.0 to before 2.5.0.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.04.8MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:U/V:D/RE:M/U:Green
Type: Secondary
Version: 4.0
Base score: 4.8
Base severity: MEDIUM
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:U/V:D/RE:M/U:Green
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-269Secondary0a72a055-908d-47f5-a16a-1f09049c16c6
CWE-285Secondary0a72a055-908d-47f5-a16a-1f09049c16c6
CWE-400Secondary0a72a055-908d-47f5-a16a-1f09049c16c6
CWE ID: CWE-269
Type: Secondary
Source: 0a72a055-908d-47f5-a16a-1f09049c16c6
CWE ID: CWE-285
Type: Secondary
Source: 0a72a055-908d-47f5-a16a-1f09049c16c6
CWE ID: CWE-400
Type: Secondary
Source: 0a72a055-908d-47f5-a16a-1f09049c16c6
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://advisories.softiron.cloud/0a72a055-908d-47f5-a16a-1f09049c16c6
N/A
Hyperlink: https://advisories.softiron.cloud/
Source: 0a72a055-908d-47f5-a16a-1f09049c16c6
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

2Records found
CVE-2023-45083
Matching Score-6
Assigner-SoftIron
ShareView Details
Matching Score-6
Assigner-SoftIron
CVSS Score-4.2||MEDIUM
EPSS-0.02% / 6.32%
||
7 Day CHG~0.00%
Published-05 Dec, 2023 | 16:15
Updated-02 Aug, 2024 | 20:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HyperCloud: "admin" and "serveradmin" users can be deleted

An Improper Privilege Management vulnerability exists in HyperCloud that will impact the ability for a user to authenticate against the management plane. An authenticated admin-level user may be able to delete the "admin" or "serveradmin" users, which prevents authentication from subsequently succeeding. This issue affects HyperCloud versions 1.0 to any release before 2.1.

Action-Not Available
Vendor-softironSoftIron
Product-hypercloudHyperCloud
CWE ID-CWE-269
Improper Privilege Management
CVE-2025-10650
Matching Score-6
Assigner-SoftIron
ShareView Details
Matching Score-6
Assigner-SoftIron
CVSS Score-1.8||LOW
EPSS-0.01% / 2.01%
||
7 Day CHG~0.00%
Published-18 Sep, 2025 | 19:11
Updated-20 Feb, 2026 | 17:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper SSH Key Handling in Internal Debug Builds May Grant Cluster-Level Access to Non-Administrative Users

SoftIron HyperCloud 2.5.0 through 2.6.3 may incorrectly add user SSH keys to the administrator-level authorized keys under certain conditions, allowing unauthorized privilege escalation to admin via SSH. Affects non-production debug and internal development builds created between versions 2.5.0 and 2.6.3.  No generally available (GA) or customer-released production builds were affected.  There is no evidence that this issue was exposed in customer environments or production deployments.

Action-Not Available
Vendor-SoftIron
Product-HyperCloud
CWE ID-CWE-269
Improper Privilege Management
Details not found