CVE-2024-10660 Overview
CVE-2024-10660 is a SQL injection vulnerability in ESAFENET CDG 5, a Chinese data leakage prevention product. The flaw resides in the deleteHook function within /com/esafenet/servlet/policy/HookService.java. Attackers can manipulate the hookId parameter to inject arbitrary SQL statements into backend database queries. The vulnerability is remotely exploitable and requires only low-privilege authentication. Public disclosure of exploit details has occurred, increasing the likelihood of opportunistic attacks against exposed instances.
Critical Impact
Authenticated remote attackers can inject SQL through the hookId parameter to read, modify, or delete data in the ESAFENET CDG backend database, with an EPSS probability of 66.889% placing this CVE in the 98th percentile for likelihood of exploitation.
Affected Products
- ESAFENET CDG version 5
- HookService policy servlet component
- Deployments exposing the CDG management interface over the network
Discovery Timeline
- 2024-11-01 - CVE-2024-10660 published to NVD
- 2024-11-05 - Last updated in NVD database
Technical Details for CVE-2024-10660
Vulnerability Analysis
The vulnerability is a classic SQL injection [CWE-89] in the policy management subsystem of ESAFENET CDG 5. The deleteHook method in HookService.java accepts an attacker-controlled hookId argument and concatenates it into a SQL statement without parameterization or sanitization. Because the endpoint is reachable over HTTP and requires only low-privilege credentials, attackers with any valid session can reach the vulnerable code path. Successful injection allows arbitrary SQL execution within the application's database context.
Root Cause
The root cause is improper neutralization of special elements in a SQL command. The deleteHook function builds its DELETE statement through string concatenation using the hookId request parameter. No prepared statements, bind variables, or input validation are applied before the value reaches the database driver. This pattern is common in legacy Java servlets where direct Statement execution replaces parameterized PreparedStatement usage.
Attack Vector
An authenticated attacker sends a crafted HTTP request to the HookService endpoint with a malicious hookId value. The payload typically uses SQL meta-characters such as single quotes, comments, and UNION clauses to break out of the intended DELETE context. Attackers can exfiltrate session tokens, policy data, and user credentials, or pivot to authentication bypass by modifying account records. The exploit has been publicly documented in VulDB #282675 and a Flowus Shared Resource.
No verified proof-of-concept code is reproduced here. Refer to the linked VulDB and Flowus references for technical payload details.
Detection Methods for CVE-2024-10660
Indicators of Compromise
- HTTP requests to /com/esafenet/servlet/policy/HookService containing SQL meta-characters in the hookId parameter, including single quotes, --, UNION, SELECT, or SLEEP.
- Database error messages or unusually long response times correlating with requests targeting deleteHook.
- Unexpected DELETE operations against policy tables or unauthorized modifications to user and session tables.
Detection Strategies
- Deploy web application firewall rules that inspect parameters sent to HookService endpoints and block SQL injection signatures.
- Enable database query logging and alert on DELETE or UNION statements originating from the CDG application user.
- Correlate authentication events with anomalous HookService activity to identify low-privilege accounts exhibiting injection behavior.
Monitoring Recommendations
- Capture full HTTP request bodies and query strings for the CDG management interface and forward them to a centralized log platform for retrospective hunting.
- Baseline normal hookId values, which should be numeric, and alert on non-numeric or encoded payloads.
- Monitor for outbound database traffic spikes or schema enumeration patterns following access to HookService.
How to Mitigate CVE-2024-10660
Immediate Actions Required
- Restrict network access to the ESAFENET CDG management interface to trusted administrative networks and VPN segments only.
- Audit all CDG user accounts and revoke unnecessary low-privilege access until a vendor patch is applied.
- Review database and application logs for prior exploitation attempts referencing HookService or deleteHook.
Patch Information
No vendor advisory or patch URL is listed in the available CVE data. Customers should contact ESAFENET directly to obtain a fixed build of CDG and confirm that the deleteHook function uses parameterized queries.
Workarounds
- Block external access to /com/esafenet/servlet/policy/HookService at the reverse proxy or WAF layer if administrative use is not required from those network paths.
- Enforce a least-privilege database account for the CDG application so injected statements cannot modify authentication tables or escalate privileges.
- Add WAF signatures that reject requests where hookId is not strictly numeric.
# Example nginx rule to enforce numeric hookId values
location /com/esafenet/servlet/policy/HookService {
if ($arg_hookId !~ "^[0-9]+$") {
return 403;
}
proxy_pass http://cdg_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
