CVE-2024-36455 Overview
CVE-2024-36455 is an improper input validation flaw in a Privileged Access Management (PAM) system disclosed in a Broadcom Security Advisory #24678. The vulnerability allows an unauthenticated attacker to achieve remote command execution by sending a specially crafted HTTP request to the affected service. The flaw maps to [CWE-665] Improper Initialization and carries a CVSS 4.0 base score of 9.4. The attack vector is Adjacent Network, meaning the attacker must reach the management interface on the local logical network.
Critical Impact
Unauthenticated attackers with adjacent network access can execute arbitrary commands on the PAM system, compromising the credential vault and every downstream system it brokers.
Affected Products
- Broadcom Privileged Access Management (PAM) appliance
- PAM HTTP management interface
- Any downstream system whose privileged credentials are stored or brokered by the affected PAM
Discovery Timeline
- 2024-07-15 - CVE-2024-36455 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2024-36455
Vulnerability Analysis
The vulnerability resides in the HTTP request handling logic of the PAM system. The service fails to properly validate input contained in a crafted HTTP request before passing it into a downstream execution context. An attacker on the adjacent network can deliver the payload without authenticating or interacting with a user. Successful exploitation results in arbitrary command execution under the privileges of the PAM service account.
Because PAM platforms broker credentials for the most sensitive accounts in an environment, code execution on the appliance itself yields access to stored secrets, session recordings, and policy configuration. Attackers can pivot from the appliance to any system whose credentials it manages.
Root Cause
The issue is categorized under [CWE-665] Improper Initialization, combined with improper input validation as described in the advisory. Request parameters are consumed by a handler that does not enforce type, length, or character-set constraints before the values reach a sensitive sink. The absence of safe initialization for the affected variables permits attacker-controlled data to alter program flow and drive command execution.
Attack Vector
The attack vector is AV:A (Adjacent Network), so the attacker must be able to reach the PAM management interface. No privileges (PR:N) or user interaction (UI:N) are required. The attacker submits a single crafted HTTP request to a vulnerable endpoint. The server parses the request, fails to sanitize the attacker-controlled fields, and executes the embedded command. Confidentiality, integrity, and availability of both the vulnerable component and subsequent systems are rated High.
No public proof-of-concept exploit has been published at the time of writing, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog. The current EPSS probability is 1.13% (78th percentile).
Detection Methods for CVE-2024-36455
Indicators of Compromise
- Unexpected child processes spawned by the PAM web service account, particularly shell interpreters such as sh, bash, or cmd.exe.
- Inbound HTTP or HTTPS requests to the PAM management interface containing shell metacharacters, encoded command separators, or unusually long parameter values.
- Outbound network connections originating from the PAM appliance to addresses outside the documented integration list.
- New or modified files in web-accessible directories on the appliance and unscheduled changes to credential vault audit logs.
Detection Strategies
- Alert on any process execution chain where the PAM web server parent process spawns command interpreters or scripting runtimes.
- Inspect HTTP request logs for anomalous payload patterns, oversized parameters, and non-ASCII content directed at management endpoints.
- Correlate authentication events: command execution without a corresponding authenticated administrative session is a strong signal of exploitation.
Monitoring Recommendations
- Forward PAM application, OS, and network logs to a centralized analytics platform and retain them for incident review.
- Baseline normal administrator source IPs, user agents, and request volumes, and alert on deviations.
- Monitor egress traffic from the PAM appliance and treat any connection to untrusted destinations as a high-severity event.
How to Mitigate CVE-2024-36455
Immediate Actions Required
- Apply the vendor fix documented in Broadcom Security Advisory #24678 on every affected PAM instance.
- Restrict network reachability of the PAM management interface to a dedicated administration VLAN or jump host.
- Review credential vault access logs and rotate any secrets that may have been exposed during the vulnerability window.
- Audit the PAM appliance for unauthorized accounts, scheduled tasks, and modified configuration files.
Patch Information
Broadcom has published remediation guidance in Security Advisory #24678. Administrators should review the advisory for the specific fixed versions that apply to their deployment and follow the vendor upgrade procedure. No workaround is a substitute for installing the fixed release.
Workarounds
- Place the PAM management interface behind a network access control list that allows only known administrator source addresses.
- Require VPN or zero-trust network access for administrators connecting to the PAM appliance, eliminating adjacent-network exposure from general user segments.
- Enable strict web application firewall rules in front of the management interface to block requests containing shell metacharacters until the patch is applied.
# Example: restrict the PAM management interface to an administrative subnet
iptables -A INPUT -p tcp --dport 443 -s 10.10.50.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
