CVE-2024-46480 – This vulnerability allows authenticated attacke... (How to Fix)

Q: What is the severity of CVE-2024-46480?

CVE-2024-46480 has a CVSS score of 8.4 (HIGH). This vulnerability allows authenticated attackers with Application Administrator access in Venki Supravizio BPM to leak NTLM hashes, enabling privilege escalation on the underlying host system. It affects organizations using Venki Supravizio BPM up to version 18.0.1. Attackers must already have administrative access to the application to exploit this vulnerability.

📋 TL;DR

This vulnerability allows authenticated attackers with Application Administrator access in Venki Supravizio BPM to leak NTLM hashes, enabling privilege escalation on the underlying host system. It affects organizations using Venki Supravizio BPM up to version 18.0.1. Attackers must already have administrative access to the application to exploit this vulnerability.

💻 Affected Systems

Products:

Venki Supravizio BPM

Versions: Up to and including 18.0.1

Operating Systems: Windows (due to NTLM hash involvement)

Default Config Vulnerable: ⚠️ Yes

Notes: Requires Application Administrator role access to exploit. The vulnerability leaks NTLM hashes from the underlying Windows system.

📦 What is this software?

Supravizio Bpm by Venki

View all CVEs affecting Supravizio Bpm →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full domain compromise through NTLM relay attacks or hash cracking leading to complete system takeover and lateral movement across the network.

🟠

Likely Case

Local privilege escalation on the host system where Supravizio BPM is installed, potentially gaining SYSTEM/root privileges.

🟢

If Mitigated

Limited to application-level access without host system compromise if proper network segmentation and credential protection are implemented.

🌐 Internet-Facing: MEDIUM - Requires authenticated Application Administrator access, but if the application is internet-facing with admin accounts exposed, risk increases.

🏢 Internal Only: HIGH - Internal attackers with application admin access can exploit this to escalate privileges on critical business systems.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires authenticated Application Administrator access and knowledge of the specific vulnerability mechanism. The GitHub references contain research details but not full exploit code.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 18.0.2 or later

Vendor Advisory: https://www.venki.com.br/ferramenta-bpm/supravizio/

Restart Required: No

Instructions:

1. Contact Venki support for the latest patched version. 2. Backup your Supravizio BPM configuration and data. 3. Install the updated version following vendor instructions. 4. Verify the installation and test application functionality.

🔧 Temporary Workarounds

Restrict Application Administrator Access

all

Limit the number of users with Application Administrator role to only essential personnel and implement strict access controls.

Implement Network Segmentation

all

Isolate the Supravizio BPM server from critical systems to limit lateral movement if NTLM hashes are compromised.

🧯 If You Can't Patch

Implement strict monitoring of Application Administrator account activity and NTLM authentication attempts.
Enable SMB signing and disable NTLMv1 to make hash relay attacks more difficult if hashes are leaked.

🔍 How to Verify

Check if Vulnerable:

Check your Supravizio BPM version via the application interface or configuration files. Versions 18.0.1 and earlier are vulnerable.

Check Version:

Check application web interface or consult Supravizio BPM documentation for version checking commands specific to your installation.

Verify Fix Applied:

After updating, verify the version number shows 18.0.2 or later in the application interface or configuration.

📡 Detection & Monitoring

Log Indicators:

Unusual Application Administrator account activity
Multiple failed authentication attempts followed by successful admin login
Unexpected NTLM authentication events from the Supravizio server

Network Indicators:

Unusual SMB or NTLM traffic originating from the Supravizio server
Authentication attempts to multiple systems using NTLM from a single source

SIEM Query:

source="supravizio_logs" AND (event_type="admin_login" OR event_type="authentication") | stats count by user, src_ip

📊 Metadata

CVE ID: CVE-2024-46480

CVSS v3 Score: 8.4 (HIGH)

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-522

EPSS Score: 0.24% exploit probability (47.3th percentile)

Published: January 13, 2025

Last Updated: October 3, 2025

🔗 References

https://github.com/Lorenzo-de-Sa/Vulnerability-Research Third Party Advisory
https://github.com/Lorenzo-de-Sa/Vulnerability-Research/blob/main/CVE-2024-46480.md Third Party Advisory
https://www.venki.com.br/ferramenta-bpm/supravizio/ Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-46480, you might also want to check these: