Arbitrary File Read Vulnerability in SPON IP Network Broadcast System by SPON Communications
CVE-2024-13982

8.7HIGH

Key Information:

Vendor

Changsha Spon Communication Technology Co. Ltd.

Status
Spon Ip Network Broadcast System
Vendor
CVE Published:
27 August 2025

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2024-13982?

The SPON IP Network Broadcast System, developed by SPON Communications, is vulnerable to an arbitrary file read issue located in the rj_get_token.php endpoint. This vulnerability is made possible due to inadequate input validation of the jsondata[url] parameter, enabling attackers to conduct directory traversal attacks. By sending a specially crafted POST request, an unauthenticated remote attacker can access sensitive files on the server, which could reveal critical system configuration details, user credentials, or other internal logic that should remain protected.

Affected Version(s)

SPON IP Network Broadcast System *

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-13982 - Proof of Concept

References

https://blog.csdn.net/qq_36618918/article/details/135505570
technical-descriptionexploit
https://sponcomm.com/collections/ip-intercom-system
product
https://www.vulncheck.com/advisories/spon-ip-network-inte...
third-party-advisory

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

keepb1lue
.
CVE-2024-13982 : Arbitrary File Read Vulnerability in SPON IP Network Broadcast System by SPON Communications