Command Injection Vulnerability in Vivotek SD9364 Product
CVE-2024-7442

9.8CRITICAL

Key Information:

Vendor

Vivotek

Status
Sd9364
Vendor
CVE Published:
3 August 2024

What is CVE-2024-7442?

A significant command injection vulnerability has been identified in Vivotek's SD9364 product, particularly in the file management function ‘upload_file.cgi’. By manipulating the QUERY_STRING argument, an attacker can execute arbitrary commands on the affected system remotely. This vulnerability is especially concerning as it impacts a product that is no longer supported by Vivotek, highlighting the risks associated with utilizing outdated technology. Users are strongly advised to discontinue use of this product or seek alternative solutions to mitigate the risk of remote exploitation.

Affected Version(s)

SD9364 VVTK-0103f

References

https://vuldb.com/?id.273527
vdb-entrytechnical-description
https://vuldb.com/?ctiid.273527
signaturepermissions-required
https://vuldb.com/?submit.383843
third-party-advisory

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

Credit

jylsec (VulDB User)
JSON
.