CVE-2024-55210 – This vulnerability allows attackers to bypass m... (How to Fix)

Q: What is the severity of CVE-2024-55210?

CVE-2024-55210 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows attackers to bypass multi-factor authentication in TOTVS Framework (Linha Protheus) by sending specially crafted websocket messages. Systems running the affected version are vulnerable to unauthorized access. This affects organizations using TOTVS Protheus ERP software.

📋 TL;DR

This vulnerability allows attackers to bypass multi-factor authentication in TOTVS Framework (Linha Protheus) by sending specially crafted websocket messages. Systems running the affected version are vulnerable to unauthorized access. This affects organizations using TOTVS Protheus ERP software.

💻 Affected Systems

Products:

TOTVS Framework (Linha Protheus)

Versions: 12.1.2310

Operating Systems: Windows, Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Any system with TOTVS Protheus 12.1.2310 and WebSocket functionality enabled is vulnerable. The vulnerability is in the authentication mechanism itself.

📦 What is this software?

Framework \(linha Protheus\) by Totvs

View all CVEs affecting Framework \(linha Protheus\) →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to bypass all authentication controls, access sensitive business data, and potentially execute arbitrary code with administrative privileges.

🟠

Likely Case

Unauthorized access to business applications and data, potentially leading to data theft, financial fraud, or business disruption.

🟢

If Mitigated

Limited impact if proper network segmentation, monitoring, and additional authentication layers are in place to detect and block unauthorized access attempts.

🌐 Internet-Facing: HIGH - WebSocket endpoints are typically internet-accessible, making exploitation straightforward for external attackers.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this, but requires network access to the vulnerable service.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public proof-of-concept code is available on GitHub, making exploitation trivial for attackers with basic technical skills.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch available. Contact TOTVS support for guidance. Consider upgrading to a newer version if available.

🔧 Temporary Workarounds

Disable WebSocket functionality

all

Disable WebSocket support in TOTVS Protheus configuration to prevent exploitation via this vector

Modify Protheus configuration files to disable WebSocket protocol support

Network segmentation and filtering

linux

Restrict access to WebSocket ports (typically 8080, 8443) using firewall rules

iptables -A INPUT -p tcp --dport 8080 -j DROP
iptables -A INPUT -p tcp --dport 8443 -j DROP

🧯 If You Can't Patch

Implement additional authentication layers (WAF, reverse proxy with authentication)
Monitor WebSocket traffic for anomalous authentication bypass patterns

🔍 How to Verify

Check if Vulnerable:

Check if running TOTVS Protheus version 12.1.2310 and test WebSocket authentication bypass using available PoC

Check Version:

Check Protheus version in application interface or configuration files

Verify Fix Applied:

Test authentication with MFA enabled - successful bypass indicates still vulnerable

📡 Detection & Monitoring

Log Indicators:

Failed MFA attempts followed by successful authentication
WebSocket authentication anomalies
Unusual authentication patterns from single IP

Network Indicators:

WebSocket traffic bypassing normal authentication flow
Abnormal WebSocket message patterns

SIEM Query:

source="protheus_logs" AND (event="authentication" AND result="success" AND mfa="bypassed")

📊 Metadata

CVE ID: CVE-2024-55210

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-290

EPSS Score: 0.34% exploit probability (56.4th percentile)

Published: April 9, 2025

Last Updated: April 30, 2025

🔗 References

https://github.com/c4cnm/CVE-2024-55210/ Broken Link

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-55210, you might also want to check these: