Vulnerability: CVE-2024-50619
At CIPPlanner, the security of customer installations of CIPAceTM software and data is our top priority. Therefore, we would like to inform you that CIPPlanner has recently identified a security incident and taken measures to remedy the situation; an enterprise-wide resolution initiative, identified and tracked as “S10001”, in March 2025.
By: Kenneth Price
Published: December 24, 2025, 9:19 AM EST
Last Modified: December 24, 2025, 9:19 AM EST
Situational Summary
The incident involved an unauthorized party compromising an inactive third-party vendor user account at one of our customers. An independent investigation concluded by both the CIPPlanner cybersecurity team and the client’s IT team found no evidence of significant operational impact or security breach. We attribute this desired outcome to: CIPPlanner’s established security protocols; implementation of daily operational best practices; CIPAceTM maintenance; and the diligence of our SuperAdmin users.
In according with the “CIPPlanner Security Incident Response Operating Procedure”, the cybersecurity team identified and remedied the Common Vulnerability and Exposures (CVE) discussed below.
Vulnerability Details
Vulnerabilities in My Account and User Management components in CIPAceTM product of CIPPlanner Corporation before version 9.17 allows attackers to escalate their access levels. A low-privileged authenticated user can gain access to other people’s accounts by tampering with the client’s user ID to change their account information. A low-privileged authenticated user can elevate his or her system privileges by modifying the information of a user role that is displayed with read-only controls in the client.
CVE Registration
In 2024, CIPPlanner reported to U.S. Government funded MITRE four (4) information security vulnerabilities to MITRE; the latter identifying the vulnerability as CVE-2024-50619. Registration metadata are as follows:
Type: Incorrect Access Control
CVSS Version: 4.0
Metric Score: 8.6
Vector: AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/SC:N/VI:H/SI:N/VA:L/SA:N/
CVE Resolution
The status of CIPPlanner resolution of CVE-2024-50619 is “Remedied”. Related activities are:
- CIPPlanner developed and distributed software patches to its valued customers. These resolutions are now embedded in later versions of the CIPAceTM codebase.
- CIPPlanner retained New Jersey based cybersecurity consultant, Entersoft US LLC, to execute independent SAST, DAST, and Penetration Testing services on CIPAceTM full stack. Entersoft has performed independent services and certified CIPAceTM software. The certification protocols required CIPPlanner to remedy security vulnerabilities that are now reflected in later version codebases.
- Resolution of CIPPlanner fixing the issue where the hidden user ID could be tampered with on the client side and successfully submitted by fixing the incorrect error handling on server side, and adjust the server-side validation codes to prevent the issue where data from a client-side read-only control could be tampered with and then successfully submitted.
Subsequently, CIPPlanner’s Product and Implementation teams executed the above software resolutions by:
- Merging needed software remedies in new versions of CIPAceTM v10.x and beyond.
- Distributing software patches and instructions to customers where no CIPAceTM upgrade is underway.
- Code-merging software remedies into CIPAceTM as a part of ongoing software upgrade projects.
If you have any questions or concerns, please do not hesitate to contact us.
FOOTNOTE:
The mission of the CVE Program is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities. The CVE program is maintained by the National Cybersecurity FFRDC (Federal Funded Research and Development Center), which is funded by the US Department of Homeland Security. For more information, please visit:
- CVE Program Mission – CVE Website
- CVE terminology – Glossary | CVE
- MITRE CVE Request form – CVE – Common Vulnerabilities and Exposures (CVE)
- CVSS – Common Vulnerability Scoring System Version 4.0
