Trending

ee-track">
Link copied!

Apex Softcell Flaws Could Lead to Unauthorized Transactions, CERT-In Warns

High-severity vulnerabilities in Apex Softcell’s mobile stock trading and back office platforms could lead to OTP bypass, transaction manipulation, and more.

September 25, 2024 · 3 min read
Apex Softcell Flaws Could Lead to Unauthorized Transactions, CERT-In Warns

Overview

The Indian Computer Emergency Response Team (CERT-In) has warned users about five high-severity vulnerabilities in Apex Softcell’s mobile stock trading and back-office platforms.

The 32-year-old private company focuses on products and solutions for capital markets and the financial industry, making any vulnerability potentially critical.

According to the CERT-In advisory published last week, the vulnerabilities affect Apex Softcell LD Geo versions prior to 4.0.0.7 and LD DP Back Office versions prior to 24.8.21.1 and could allow a remote attacker to perform user enumeration, bypass OTP verification, manipulate unauthorized transactions, or gain unauthorized access to sensitive information of other user accounts.

Affected Products and Vulnerabilities

The affected products include Apex Softcell LD Geo versions prior to 4.0.0.7 and Apex Softcell LD DP Back Office versions prior to 24.8.21.1. Several vulnerabilities have been identified but not yet announced, including CVE-2024-47085, CVE-2024-47086, CVE-2024-47087, CVE-2024-47088, and CVE-2024-47089.

CVE-2024-47085: Parameter Manipulation Vulnerability

This vulnerability exists in the LD DP Back Office because of improper validation of the parameters “cCdslClicentcode” and “cLdClientCode” in the API endpoint. Authenticated remote attackers could exploit this vulnerability via the manipulation of parameters in the API request body, leading to the exposure of sensitive information belonging to other users.

CVE-2024-47086: OTP Bypass Vulnerability

Another LD DP Back Office vulnerability, this one caused by improper implementation of an OTP validation mechanism in certain API endpoints, could be exploited by an authenticated remote attacker who provides arbitrary OTP values for authentication, subsequently changing the API response, and bypassing OTP verification for other user accounts.

report-ad-banner

CVE-2024-47087: Information Disclosure Vulnerability

This vulnerability in LD Geo is due to improper validation of certain parameters (Client ID, DPID, or BOID) in the API endpoint. Authenticated remote attackers could exploit this vulnerability by manipulating parameters in the API request body, leading to sensitive information exposure.

CVE-2024-47088: User Enumeration Vulnerability

This vulnerability in LD Geo is created by missing restrictions for excessive failed authentication attempts on its API-based login. Remote attacks could exploit this by conducting a brute force attack on login OTP, which could lead to unauthorized access to other user accounts.

CVE-2024-47089: Unauthorized Transaction Manipulation Vulnerability

This LD Geo vulnerability is caused by improper validation of the transaction token ID in the API endpoint. Authenticated remote attackers could exploit this by manipulating the transaction token ID in the API request, leading to unauthorized access and modification of transactions belonging to other users.

Users should upgrade Apex SoftcellLD Geo to version 4.0.0.7 and Apex SoftcellLD DP Back Office to version 24.8.21.1.

Conclusion

Remote attackers could manipulate transactions, bypass authentication, and access sensitive user information, and the implications of these vulnerabilities could be severe. To mitigate these risks, all users of Apex Softcell LD Geo and LD DP Back Office must immediately upgrade to the latest versions—4.0.0.7 and 24.8.21.1, respectively. Proactive measures and timely updates are essential to monitor and secure sensitive financial data as well as maintain the integrity of trading operations.

Mitigation and Recommendations

  • Users must upgrade to Apex Softcell LD Geo version 4.0.0.7 and LD DP Back Office version 24.8.21.1 to close the identified vulnerabilities.
  • Ensure that all API endpoints validate input parameters rigorously to prevent parameter manipulation and unauthorized access.
  • Employ anomaly detection systems to identify unusual patterns, such as excessive failed login attempts, which may indicate brute-force attacks.
  • Perform periodic security assessments and penetration testing on the trading platforms to identify and address vulnerabilities proactively.
  • Train users to recognize potential phishing attempts and unauthorized access attempts, reinforcing the importance of strong, unique passwords.
  • Enforce the principle of least privilege, granting users only the access necessary for their roles, thereby reducing the impact of a compromised account.
  • Subscribe to security advisories and maintain awareness of newly discovered vulnerabilities related to the software in use to ensure timely responses.

AI Threat Intelligence

Stop Executive Threats
Before They Strike

Monitor dark web chatter, detect lookalike domains, and protect your C-suite from targeted impersonation — in real time, across 50+ countries.

Scroll to Top

Book your session

Request a Personalized Demo

See how Cyble's threat intelligence protects your organization. A specialist will reach out within one business day.

Select one or more options

Cyble protects your personal data to manage your account and deliver requested content. Submit your details to receive updates. Withdraw consent anytime. See our privacy policy for details.

Your information is encrypted and never shared.
SOC 2 Type II GDPR compliant Trusted by 1,000+ teams

Download the brochure

Get the Cyble Vision Brochure

Explore how Cyble Vision delivers AI-powered threat intelligence across your attack surface. Fill in your details to access the brochure.

Select one or more options

Cyble protects your personal data to manage your account and deliver requested content. Submit your details to receive updates. Withdraw consent anytime. See our privacy policy for details.

Your information is encrypted and never shared.
SOC 2 Type II GDPR compliant Trusted by 1,000+ teams