Remote Code Execution Vulnerability in HuangDou UTCMS V9
CVE-2024-9916

9.8CRITICAL

Key Information:

Vendor

Huangdou

Status
Utcms
Vendor
CVE Published:
13 October 2024

Badges

👾 Exploit Exists🟡 Public PoC📰 News Worthy

What is CVE-2024-9916?

A critical vulnerability has been identified in HuangDou UTCMS V9, specifically affecting the functionality within the file located at app/modules/ut-cac/admin/cli.php. This flaw facilitates an OS command injection due to improper handling of the input argument 'o'. Attackers can exploit this vulnerability remotely, potentially leading to unauthorized system access and overall compromise of the affected server. The nature of this vulnerability poses a significant risk, especially since the details have been publicly disclosed, increasing the likelihood of exploitation. Despite early notifications sent to the vendor, no acknowledgement or mitigation efforts have been reported.

Affected Version(s)

UTCMS V9

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-9916 - Proof of Concept

News Articles

favicon imageCybersecurityNews

Mirai Botnet Exploting Router Vulnerabilities to Gain Complete Device Control

A new wave of cyberattacks has surfaced, with a Mirai-based botnet exploiting a number of significant vulnerabilities in routers and smart devices.

References

https://vuldb.com/?id.280244
vdb-entrytechnical-description
https://vuldb.com/?ctiid.280244
signaturepermissions-required
https://vuldb.com/?submit.418748
third-party-advisory

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • 📰

    First article discovered by CybersecurityNews

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

chenzijie0619 (VulDB User)
.