CVE-2024-39148
BaseFortify
Publication date: 2025-12-01
Last updated on: 2025-12-02
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| kerlink | keros | 5.11 |
| kerlink | keros | 5.1 |
| kerlink | keros | 5.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the wmp-agent service of KerOS versions prior to 5.12. The service does not properly validate 'magic URLs', which allows an unauthenticated remote attacker to execute arbitrary operating system commands with root privileges if the service is accessible over the network. Normally, the service is protected by a local firewall, which may limit exposure.
How can this vulnerability impact me? :
If exploited, this vulnerability can allow an attacker to gain full control of the affected system by executing arbitrary commands as the root user remotely without authentication. This could lead to system compromise, data theft, service disruption, or further attacks within the network.