CVE-2024-28138

CVSS 3.1 Score 7.3 of 10 (high)

Details

Published Dec 10, 2024
Updated: Dec 11, 2024
CWE ID 78

Summary

CVE-2024-28138 is a newly disclosed cybersecurity vulnerability that allows unauthenticated attackers with network access to the affected device's web interface to execute any system command via the "msg_events.php" script. The vulnerability arises from the improper sanitization of the HTTP GET parameter "data". This issue can potentially grant attackers significant privileges, posing a serious threat to the security of the affected system. The www-data user is the targeted account for these commands, increasing the potential impact of this vulnerability. Organizations are strongly advised toapply the necessary patches or mitigations to protect their systems from this exploit.

Ligh bulbPrevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share