Remote Command Execution Vulnerability in RaspAP by Billz
CVE-2020-24572

8.8HIGH

Key Information:

Vendor

Raspap

Status
Raspap
Vendor
CVE Published:
24 August 2020

Badges

👾 Exploit Exists🟡 Public PoC🟣 EPSS 42%

What is CVE-2020-24572?

A significant security vulnerability exists in RaspAP 2.5, where an authenticated attacker can exploit a poorly configured web console located in includes/webconsole.php. This flaw allows the attacker to execute arbitrary commands on the Raspberry Pi operating system. Given the web console's virtually unrestricted access, this can lead to unauthorized file uploads and code execution, posing a serious risk to systems running this software.

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

cve-2020-24572
Created by lb0x

References

https://github.com/billz/raspap-webgui/releases
x_refsource_MISC
https://github.com/lb0x
x_refsource_MISC
https://github.com/billz/raspap-webgui/commit/dd5ab7bdc21...
x_refsource_MISC

EPSS Score

42% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2020-24572 : Remote Command Execution Vulnerability in RaspAP by Billz