CVE-2024-0980 Vulnerability in Okta Verify for Windows Demands Urgent Update

Security researchers have uncovered a serious vulnerability in Okta Verify for Windows, a popular multifactor authentication (MFA) app. This flaw rated 7.1 (High) on the CVSS scale, could allow attackers to remotely execute arbitrary code on affected systems.

Okta Verify is a multifactor authentication (MFA) app developed by Okta. It lets users verify their identity when they sign in to Okta and makes it less likely that someone pretending to be the user can gain access to the account.

What’s at Risk

Organizations relying on Okta Verify for Windows to protect sensitive accounts face potential compromise. Successful exploitation of this vulnerability could grant attackers a foothold within company networks, with the ability to:

• Steal confidential data
• Launch further attacks deeper into the system
• Disrupt business operations

Vulnerability Details (CVE-2024-0980)

The vulnerability stems from flaws in the auto-update service of Okta Verify for Windows. Attackers could exploit this service to inject and execute malicious code with the same privileges as the update process itself.

“The Auto-update service for Okta Verify for Windows is vulnerable to two flaws which in combination could be used to execute arbitrary code,” reads the security advisory.

Security researcher Ryan Wincey of Securifera, Inc. has been credited for discovering and responsibly disclosing this vulnerability.

Affected Systems

Only Okta Verify for Windows is impacted. Here’s the breakdown:

• Vulnerable: Systems running Okta Verify for Windows versions prior to 4.10.7 and those that had older versions installed at some point.
• Not Affected: Okta Verify on other platforms like macOS, iOS, or Android.

Call to Action: Update Immediately

Okta has released a patched version (4.10.7) to address the CVE-2024-0980 vulnerability. Security teams should prioritize updating Okta Verify for Windows installations as soon as possible.