CVE-2024-37777
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-08-27

Last updated on: 2025-09-09

Assigner: MITRE

Description
O2OA v9.0.3 was discovered to contain a remote code execution (RCE) vulnerability via the mainOutput() function.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-08-27
Last Modified
2025-09-09
Generated
2026-06-16
AI Q&A
2025-08-27
EPSS Evaluated
2026-06-15
NVD
CVE-2024-37777
EUVD
EUVD-2024-54917
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
zoneland o2oa 9.0.3
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2024-37777 is a critical remote code execution (RCE) vulnerability in O2OA version 9.0.3. It occurs because the system attempts to block dangerous Java classes using a blacklist to prevent harmful operations in scripts, but this blacklist can be bypassed using Java reflection. Attackers can exploit the Script Activity feature within the Process Application Management module to execute arbitrary system commands remotely by dynamically invoking restricted Java classes and methods, such as Runtime.exec(), allowing them to run commands like opening applications on the server. [1]

Impact Analysis

This vulnerability can allow an attacker to remotely execute arbitrary system commands on the server running O2OA 9.0.3 without proper authorization. This can lead to full compromise of the affected system, including unauthorized access, data theft, system manipulation, installation of malware, or disruption of services. Because the attacker can run any command, the impact includes complete loss of confidentiality, integrity, and availability of the system. [1]

Detection Guidance

This vulnerability can be detected by checking if your system is running O2OA version 9.0.3 and by attempting to reproduce the exploit steps. Specifically, you can try to create and execute a Script Activity in the Process Application Management module that uses Java reflection to execute system commands. Monitoring for unusual execution of system commands like 'calc.exe' triggered from the application could indicate exploitation. Since the exploit uses Java reflection to bypass blacklists, commands or scripts that attempt to invoke Runtime.getRuntime().exec() indirectly could be indicators. However, no specific network or system commands are provided in the resources for detection. [1]

Mitigation Strategies

Immediate mitigation steps include not using or disabling O2OA version 9.0.3 until a patch or update is available. Restrict access to the Process Application Management module, especially for untrusted users, and monitor or disable the Script Activity feature to prevent execution of arbitrary scripts. Additionally, review and strengthen sandboxing and input validation to prevent Java reflection bypasses. Since the vulnerability arises from a bypass of the blacklist, consider applying additional security controls such as network segmentation, application whitelisting, and monitoring for suspicious command executions. The resource does not provide a specific patch or fix, so avoiding use or restricting access is critical. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2024-37777. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart