CVE-2024-33891 – This vulnerability allows attackers to bypass a... (How to Fix)

Q: What is the severity of CVE-2024-33891?

CVE-2024-33891 has a CVSS score of 8.8 (HIGH). This vulnerability allows attackers to bypass authentication in Delinea Secret Server via the SOAP API, potentially gaining administrative access. It affects Secret Server versions before 11.7.000001 due to a hardcoded key and improper user ID handling. Organizations using vulnerable versions of this privileged access management solution are at risk.

📋 TL;DR

This vulnerability allows attackers to bypass authentication in Delinea Secret Server via the SOAP API, potentially gaining administrative access. It affects Secret Server versions before 11.7.000001 due to a hardcoded key and improper user ID handling. Organizations using vulnerable versions of this privileged access management solution are at risk.

💻 Affected Systems

Products:

Delinea Secret Server

Versions: All versions before 11.7.000001

Operating Systems: Windows, Linux (if applicable for deployment)

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all deployments of Secret Server before the patched version, regardless of configuration.

📦 What is this software?

Secret Server by Delinea

View all CVEs affecting Secret Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of all secrets stored in Secret Server, allowing attackers to access administrative credentials, SSH keys, database passwords, and other sensitive data across the entire infrastructure.

🟠

Likely Case

Unauthorized access to sensitive secrets leading to lateral movement, privilege escalation, and potential data exfiltration from systems protected by Secret Server.

🟢

If Mitigated

Limited impact if network segmentation restricts access to Secret Server and strong monitoring detects anomalous authentication attempts.

🌐 Internet-Facing: HIGH - If Secret Server is exposed to the internet, attackers can directly exploit this vulnerability without any authentication.

🏢 Internal Only: HIGH - Even internally, any user with network access to the Secret Server instance can potentially exploit this vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Detailed technical analysis and exploitation details are publicly available in the referenced Medium article, making exploitation straightforward for attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 11.7.000001

Vendor Advisory: https://trust.delinea.com/?tcuUid=17aaf4ef-ada9-46d5-bf97-abd3b07daae3

Restart Required: Yes

Instructions:

1. Backup your Secret Server database and configuration. 2. Download version 11.7.000001 from Delinea's official portal. 3. Run the upgrade installer following Delinea's upgrade documentation. 4. Verify the upgrade completed successfully and test functionality.

🔧 Temporary Workarounds

Network Access Restriction

all

Restrict network access to the Secret Server SOAP API endpoint to only trusted IP addresses or networks.

Use firewall rules to block access to /SecretServer/webservices/SSWebService.asmx from untrusted networks

Disable SOAP API if Unused

all

Temporarily disable the vulnerable SOAP API endpoint if it's not required for your operations.

IIS/Apache configuration to block or remove the SSWebService.asmx endpoint

🧯 If You Can't Patch

Implement strict network segmentation to isolate Secret Server from untrusted networks
Enable detailed logging and monitoring for all authentication attempts to the SOAP API

🔍 How to Verify

Check if Vulnerable:

Check the Secret Server version in the web interface under Help > About, or examine the installed version in the Windows Programs list.

Check Version:

On Windows: Check installed programs list or registry at HKEY_LOCAL_MACHINE\SOFTWARE\Delinea\Secret Server\Version

Verify Fix Applied:

Verify the version shows 11.7.000001 or higher after patching, and test that the SOAP API now properly validates authentication tokens.

📡 Detection & Monitoring

Log Indicators:

Unusual authentication patterns to SSWebService.asmx
Multiple failed authentication attempts followed by successful admin access
SOAP requests with suspicious user ID parameters

Network Indicators:

Unusual traffic patterns to /SecretServer/webservices/SSWebService.asmx
SOAP requests containing hardcoded authentication bypass parameters

SIEM Query:

source="SecretServer" AND (uri_path="/webservices/SSWebService.asmx" AND (user_id="2" OR auth_token="hardcoded_value"))

📊 Metadata

CVE ID: CVE-2024-33891

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-321

Published: April 28, 2024

Last Updated: October 28, 2025

🔗 References

https://delinea.com/products/secret-server Product
https://docs.delinea.com/online-help/secret-server/release-notes/ss-rn-11-7-000001.htm Release Notes
https://straightblast.medium.com/all-your-secrets-are-belong-to-us-a-delinea-secret-server-authn-authz-bypass-adc26c800ad3 Exploit,Third Party Advisory
https://trust.delinea.com/?tcuUid=17aaf4ef-ada9-46d5-bf97-abd3b07daae3 Vendor Advisory
https://delinea.com/products/secret-server Product
https://docs.delinea.com/online-help/secret-server/release-notes/ss-rn-11-7-000001.htm Release Notes
https://straightblast.medium.com/all-your-secrets-are-belong-to-us-a-delinea-secret-server-authn-authz-bypass-adc26c800ad3 Exploit,Third Party Advisory
https://trust.delinea.com/?tcuUid=17aaf4ef-ada9-46d5-bf97-abd3b07daae3 Vendor Advisory
https://github.com/straightblast/My-PoC-Exploits/blob/master/CVE-2024-33891.py Exploit

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-33891, you might also want to check these: