CVE-2024-56404 Overview
CVE-2024-56404 is an insecure direct object reference (IDOR) vulnerability in One Identity Identity Manager 9.x before version 9.3. The flaw allows an authenticated low-privileged user to escalate privileges by manipulating object references that are not properly validated by the application. Only On-Premise installations are affected by this issue. The vulnerability is tracked under CWE-302: Authentication Bypass by Assumed-Immutable Data and was disclosed in the One Identity product notification.
Critical Impact
An attacker with low-privileged access to an affected On-Premise deployment can escalate privileges and compromise confidentiality, integrity, and availability across the identity management environment.
Affected Products
- One Identity Identity Manager 9.0 (On-Premise)
- One Identity Identity Manager 9.1 and 9.2 (On-Premise)
- All 9.x versions prior to 9.3
Discovery Timeline
- 2025-01-24 - CVE-2024-56404 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2024-56404
Vulnerability Analysis
The vulnerability is an insecure direct object reference (IDOR) flaw in the On-Premise deployment of One Identity Identity Manager. IDOR issues occur when an application exposes internal object identifiers, such as database keys or entity references, without enforcing access control checks on the requesting user. In this case, the application trusts client-supplied object references to determine which records or operations a user can access. An authenticated attacker can substitute references that point to privileged objects and obtain access that the authorization model should deny.
Root Cause
The root cause maps to [CWE-302], where the application assumes that an object identifier supplied by the client is immutable or trustworthy. The Identity Manager runtime does not re-validate that the authenticated principal is authorized to act on the target object referenced in the request. Because Identity Manager governs accounts, roles, and entitlements, manipulating these references translates directly into a privilege escalation path.
Attack Vector
The attack is delivered over the network and requires only low-privileged credentials with no user interaction. The scope is changed, meaning the impact can extend beyond the initially authorized security context to managed downstream systems. A successful exploit grants the attacker the ability to read, modify, or revoke identity objects belonging to higher-privileged accounts, including administrative roles.
No public proof-of-concept code is available for this issue. Refer to the One Identity release notes for version 9.3 for vendor-supplied technical context.
Detection Methods for CVE-2024-56404
Indicators of Compromise
- Unexpected modifications to high-privilege roles, group memberships, or entitlement assignments in the Identity Manager database
- Web application or API requests from low-privileged accounts that reference object identifiers belonging to administrative entities
- Audit log entries showing privilege grants, password resets, or account enables that do not correlate to an approved workflow request
Detection Strategies
- Review Identity Manager web service and API access logs for sequential or manipulated object identifiers issued by the same session
- Correlate authentication events with subsequent privileged object operations to identify users acting outside their assigned role scope
- Baseline normal request patterns per role and alert on deviations such as standard users invoking administrative endpoints
Monitoring Recommendations
- Forward Identity Manager application, IIS, and database audit logs to a centralized SIEM with retention sufficient for forensic review
- Enable verbose auditing on role assignment, account creation, and permission change operations within Identity Manager
- Monitor for changes to Active Directory and downstream connected systems originating from Identity Manager service accounts outside maintenance windows
How to Mitigate CVE-2024-56404
Immediate Actions Required
- Upgrade On-Premise deployments of One Identity Identity Manager to version 9.3 or later as documented in the vendor advisory
- Inventory all 9.x On-Premise installations and prioritize internet-exposed or business-critical instances for immediate patching
- Rotate credentials and review recent privileged role assignments for any unauthorized changes prior to patching
Patch Information
One Identity addressed CVE-2024-56404 in Identity Manager 9.3. Administrators should consult the One Identity Identity Manager 9.3 release notes and the official product notification for upgrade procedures and compatibility guidance. SaaS deployments are not affected.
Workarounds
- Restrict network access to the Identity Manager web front end and API endpoints to trusted administrative networks until the patch is applied
- Enforce least-privilege provisioning so that standard user accounts cannot enumerate or modify administrative objects through the API
- Increase the frequency of attestation and recertification campaigns to detect unauthorized entitlement changes between patch cycles
# Verify installed Identity Manager version on the application server
Get-ItemProperty "HKLM:\SOFTWARE\One Identity\Identity Manager" | Select-Object ProductVersion
# Confirm upgrade target
# ProductVersion must be 9.3.0 or later to remediate CVE-2024-56404
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
