Vulnerability: CVE-2024-50618
At CIPPlanner, the security of customer installations of CIPAceTM software and data is our top priority. Therefore, we would like to inform you that CIPPlanner has recently identified a security incident and taken measures to remedy the situation; an enterprise-wide resolution initiative, identified and tracked as “S10001”, in March 2025.
By: Kenneth Price
Published: December 24, 2025, 9:19 AM EST
Last Modified: December 24, 2025, 9:19 AM EST
Situational Summary
The incident involved an unauthorized party compromising an inactive third-party vendor user account at one of our customers. An independent investigation concluded by both the CIPPlanner cybersecurity team and the client’s IT team found no evidence of significant operational impact or security breach. We attribute this desired outcome to: CIPPlanner’s established security protocols; implementation of daily operational best practices; CIPAceTM maintenance; and the diligence of our SuperAdmin users.
In according with the “CIPPlanner Security Incident Response Operating Procedure”, the cybersecurity team identified and remedied the Common Vulnerability and Exposures (CVE) discussed below.
Vulnerability Details
A use of Single-factor Authentication vulnerability in Authentication component in CIPAceTM product of CIPPlanner Corporation before version 9.17 allows attackers to bypass protection mechanism. When the system is configured to allow login with internal accounts, an attacker can possibly obtain full authentication if the secret in a single-factor authentication scheme gets compromised.
CVE Registration
In 2024, CIPPlanner reported to U.S. Government funded MITRE four (4) information security vulnerabilities to MITRE; the latter identifying the vulnerability as CVE-2024-50618. Registration metadata are as follows:
Type: Insecure Permissions
CVSS Version: 4.0
Metric Score: 6.1
Vector: AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/SC:N/VI:L/SI:N/VA:L/SA:N/
CVE Resolution
The status of CIPPlanner resolution of CVE-2024-50618 is “Remedied”. Related activities are:
- CIPPlanner developed and distributed software patches to its valued customers. These resolutions are now embedded in later versions of the CIPAceTM codebase.
- CIPPlanner retained New Jersey based cybersecurity consultant, Entersoft US LLC, to execute independent SAST, DAST, and Penetration Testing services on CIPAceTM full stack. Entersoft has performed independent services and certified CIPAceTM software. The certification protocols required CIPPlanner to remedy security vulnerabilities that are now reflected in later version codebases.
- Resolution of the CVE came in the form of multifactored authentication (MFA) based on SMS verification being implemented in CIPAceTM.
Subsequently, CIPPlanner’s Product and Implementation teams executed the above software resolutions by:
- Merging needed software remedies in new versions of CIPAceTM v10.x and beyond.
- Distributing software patches and instructions to customers where no CIPAceTM upgrade is underway.
- Code-merging software remedies into CIPAceTM as a part of ongoing software upgrade projects.
If you have any questions or concerns, please do not hesitate to contact us.
FOOTNOTE:
The mission of the CVE Program is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities. The CVE program is maintained by the National Cybersecurity FFRDC (Federal Funded Research and Development Center), which is funded by the US Department of Homeland Security. For more information, please visit:
- CVE Program Mission – CVE Website
- CVE terminology – Glossary | CVE
- MITRE CVE Request form – CVE – Common Vulnerabilities and Exposures (CVE)
- CVSS – Common Vulnerability Scoring System Version 4.0
