CVE-2024-39148

The service wmp-agent of KerOS prior 5.12 does not properly validate so-called magic URLs allowing an unauthenticated remote attacker to execute arbitrary OS commands as root when the service is reachable over network. Typically, the service is protected via local firewall.
Code Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8.1 HIGH
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
mitreCNA
---
---
CISA-ADPADP
8.1 HIGH
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 37%
VendorProductVersion
kerlinkkeros
5.0 ≤
𝑥
< 5.12
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://keros.docs.kerlink.com/security/security_advisories_kerOS5
https://www.bdosecurity.de/en-gb/advisories/cve-2024-39148