Cleartext Credential Exposure in No-IP Dynamic Update Client v3.x
CVE-2024-40457

Currently unrated

Key Information:

Vendor: No-IP
Status: Dynamic Update Client (DUC)
Vendor: CVE Published:; 12 September 2024

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2024-40457?

The No-IP Dynamic Update Client (DUC) v3.x version stores cleartext credentials, potentially exposing sensitive information through command line usage or within configuration files. Despite security concerns, the vendor maintains that this cleartext usage in the specified file is intentional, raising implications for users regarding the management and protection of their credentials.

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-40457-PoC
Created by jeppojeps

References

https://www.noip.com/support/knowledgebase/install-linux-...

https://www.noip.com/support/knowledgebase/running-linux-...

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Oct 31, 2024
👾
Exploit known to exist
Oct 31, 2024
Vulnerability published
Sep 12, 2024
Vulnerability Reserved
Jul 5, 2024