CVE-2024-13089
BaseFortify
Publication date: 2025-06-10
Last updated on: 2025-06-12
Assigner: Nozomi Networks Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an authenticated remote code execution (RCE) issue in the update functionality of Nozomi Networks Guardian and CMC products prior to version 24.6.0. It arises from improper validation of update package signatures, allowing an authenticated administrator to execute arbitrary operating system commands remotely on the appliance. This happens because special elements used in OS commands are not properly neutralized during the signature validation process. [1]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an authenticated administrator to execute unauthorized arbitrary OS commands remotely on the affected appliance. This can compromise the confidentiality, integrity, and availability of the system, potentially leading to unauthorized access, data breaches, or service disruption. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include ensuring that update packages are only installed from trusted sources and upgrading Nozomi Networks Guardian and CMC products to version 24.6.0 or later, which contains the fix for this vulnerability. [1]