CVE-2024-0305
published 2024-01-08CVE-2024-0305: A vulnerability was found in Guangzhou Yingke Electronic Technology Ncast up to 2017 and classified as problematic. Affected by this issue is some unknown…
PriorityP182high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
66.93%
99.2th percentile
A vulnerability was found in Guangzhou Yingke Electronic Technology Ncast up to 2017 and classified as problematic. Affected by this issue is some unknown functionality of the file /manage/IPSetup.php of the component Guest Login. The manipulation leads to information disclosure. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-249872.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| guangzhou_yingke_electronic_technology | ncast | — | — |
| ncast_project | ncast | 2007 – 2017 | — |
Detection & IOCsextracted from sources · hover to see the quote
otherAuthorization: Basic aGVscGRlc2tJbnRlZ3JhdGlvblVzZXI6ZGV2LUM0RjgwMjVFNw==
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Ncast DVR Command Injection Attempt (CVE-2024-0305)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/classes/common/busiFacade.php"; fast_pattern; http.request_body; content:"|22|name|22 3a 22|ping|22|"; content:"|22|serviceName|22 3a 22|SysManager|22|"; content:"|22|param|22 3a 5b 22|ping"; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,isc.sans.edu/diary/31782; reference:cve,2024-0305; classtype:attempted-admin; sid:2060962; rev:1;)
snort
alert http1 any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Ncast DVR Hardcoded Credentials Login Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/classes/common/busiFacade.php"; fast_pattern; http.header; content:"Authorization|3a 20|Basic|20|aGVscGRlc2tJbnRlZ3JhdGlvblVzZXI6ZGV2LUM0RjgwMjVFNw=="; reference:url,isc.sans.edu/diary/31782; reference:cve,2024-0305; classtype:attempted-admin; sid:2060963; rev:1;)
- →Exploit POST requests target /classes/common/busiFacade.php with a JSON body containing serviceName 'SysManager' and command injection via the 'param' field (e.g., pipe characters, semicolons, backticks)
- →Successful RCE response body contains uid/gid output matching regex: uid=([0-9(a-z)]+) gid=([0-9(a-z)]+)
- →Shodan/FOFA fingerprint for exposed Ncast devices: HTTP title '高清智能录播系统'; use queries app="Ncast-产品" && title=="高清智能录播系统" or title="高清智能录播系统" to identify attack surface
- →Hardcoded credential login attempts use a GET request to /classes/common/busiFacade.php with a static Base64-encoded Basic Auth header (aGVscGRlc2tJbnRlZ3JhdGlvblVzZXI6ZGV2LUM0RjgwMjVFNw==)
- →Command injection is injected via shell metacharacters (;, newline, backtick, pipe, $) appended after the ping argument in the param array
- ·NVD classifies this as an information disclosure vulnerability via /manage/IPSetup.php (Guest Login), but the Nuclei template and Snort rules describe it as RCE via /classes/common/busiFacade.php — both endpoints should be monitored ↗
- ·The Nuclei template is marked verified=true and targets versions 2017 and earlier; the EPSS score is extremely high (0.93658 / 99.8th percentile), indicating active exploitation likelihood
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck5.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-mvp3-ghv2-w5rp: A vulnerability was found in Guangzhou Yingke Electronic Technology Ncast up to 2017 and classified as problematic
ghsa_unreviewed·2024-01-08
CVE-2024-0305 [MEDIUM] CWE-200 GHSA-mvp3-ghv2-w5rp: A vulnerability was found in Guangzhou Yingke Electronic Technology Ncast up to 2017 and classified as problematic
A vulnerability was found in Guangzhou Yingke Electronic Technology Ncast up to 2017 and classified as problematic. Affected by this issue is some unknown functionality of the file /manage/IPSetup.php of the component Guest Login. The manipulation leads to information disclosure. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-249872.
VulnCheck
Guangzhou Yingke Electronic Technology Ncast up to 2017 Information Disclosure
vulncheck·2024·CVSS 5.3
CVE-2024-0305 [MEDIUM] Guangzhou Yingke Electronic Technology Ncast up to 2017 Information Disclosure
Guangzhou Yingke Electronic Technology Ncast up to 2017 Information Disclosure
A vulnerability was found in Guangzhou Yingke Electronic Technology Ncast up to 2017 and classified as problematic. Affected by this issue is some unknown functionality of the file /manage/IPSetup.php of the component Guest Login. The manipulation leads to information disclosure. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-249872.
Affected: ncast_project ncast
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?
Suricata
ET WEB_SPECIFIC_APPS Ncast DVR Hardcoded Credentials Login Attempt
suricata·2025-03-19
CVE-2024-0305 ET WEB_SPECIFIC_APPS Ncast DVR Hardcoded Credentials Login Attempt
ET WEB_SPECIFIC_APPS Ncast DVR Hardcoded Credentials Login Attempt
Rule: alert http1 any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Ncast DVR Hardcoded Credentials Login Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/classes/common/busiFacade.php"; fast_pattern; http.header; content:"Authorization|3a 20|Basic|20|aGVscGRlc2tJbnRlZ3JhdGlvblVzZXI6ZGV2LUM0RjgwMjVFNw=="; reference:url,isc.sans.edu/diary/31782; reference:cve,2024-0305; classtype:attempted-admin; sid:2060963; rev:1; metadata:affected_product DVR, attack_target Networking_Equipment, tls_state plaintext, created_at 2025_03_19, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, updated_at 2025_03_19, mitre_tactic_id T
Suricata
ET WEB_SPECIFIC_APPS Ncast DVR Command Injection Attempt (CVE-2024-0305)
suricata·2025-03-19·CVSS 5.3
CVE-2024-0305 [MEDIUM] ET WEB_SPECIFIC_APPS Ncast DVR Command Injection Attempt (CVE-2024-0305)
ET WEB_SPECIFIC_APPS Ncast DVR Command Injection Attempt (CVE-2024-0305)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Ncast DVR Command Injection Attempt (CVE-2024-0305)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/classes/common/busiFacade.php"; fast_pattern; http.request_body; content:"|22|name|22 3a 22|ping|22|"; content:"|22|serviceName|22 3a 22|SysManager|22|"; content:"|22|param|22 3a 5b 22|ping"; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,isc.sans.edu/diary/31782; reference:cve,2024-0305; classtype:attempted-admin; sid:2060962; rev:1; metadata:affected_product DVR, attack_target Networking_Equipment, tls_state plaintext, created_at 2025_03_19, cve CVE_202
Nuclei
Ncast busiFacade - Remote Command Execution
nuclei·CVSS 7.5
CVE-2024-0305 [HIGH] Ncast busiFacade - Remote Command Execution
Ncast busiFacade - Remote Command Execution
The Ncast Yingshi high-definition intelligent recording and playback system is a newly developed audio and video recording and playback system. The system has RCE vulnerabilities in versions 2017 and earlier.
Template:
id: CVE-2024-0305
info:
name: Ncast busiFacade - Remote Command Execution
author: BMCel
severity: high
description: |
The Ncast Yingshi high-definition intelligent recording and playback system is a newly developed audio and video recording and playback system. The system has RCE vulnerabilities in versions 2017 and earlier.
remediation: |
Apply the latest security patches and updates from the vendor to address this vulnerability.
impact: |
Allows remote attackers to execute arbitrary code on the affected system.
reference:
- h
2024-01-08
Published
Exploited in the wild