CVE-2024-37364

CVE-2024-37364 describes a kiosk-mode escape vulnerability in the Ariane Allegro Scenario Player, a self-service hotel check-in terminal application. The root cause is an input validation failure: entering a single quote character ('') into the guest-search field triggers an application crash [1]. When the application crashes in kiosk mode, the underlying Windows Desktop becomes accessible, breaking the intended isolation.

Exploitation requires physical proximity to the terminal. An attacker only needs to interact with the guest-search function; no authentication or special privileges are needed. The crash is immediate, and once the Windows desktop is reachable, the attacker can execute arbitrary commands or launch applications [1].

The impact is severe for a hospitality environment. An attacker can extract sensitive information from hotel invoices (e.g., guest names, room numbers, PII) and, more critically, could potentially create unauthorized room keys. Given that this system is deployed in “3,000 hotels and 500,000 rooms in more than 25 countries,” according to the vendor, the exposure is broad [1].

Ariane Systems acknowledged the issue after a disclosure effort by Pentagrid. The vulnerability affects the Scenario Player through 2024-03-05. The vendor’s advisory indicates that the bug exists in an outdated software version, and organizations should update to the latest patched release; no workaround is described. There is no evidence that this CVE is listed in CISA’s Known Exploited Vulnerabilities catalog at this time [1].