cbcvebase.
CVE-2024-0986
published 2024-01-29

CVE-2024-0986: A vulnerability was found in Issabel PBX 4.0.0. It has been rated as critical. This issue affects some unknown processing of the file…

PriorityP183critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
58.42%
99.0th percentile
A vulnerability was found in Issabel PBX 4.0.0. It has been rated as critical. This issue affects some unknown processing of the file /index.php?menu=asterisk_cli of the component Asterisk-Cli. The manipulation of the argument Command leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-252251. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Affected

1 ranges
VendorProductVersion rangeFixed in
issabelpbx

Detection & IOCsextracted from sources · hover to see the quote

url/index.php?menu=asterisk_cli
path/index.php?menu=asterisk_cli
commandtxtCommand=xmldoc+dump+%2Fvar%2Fwww%2Fbackup%2Fx%7C%7Becho%2CY2F0IC4uLy4uLy4uLy4uLy4uLy4uL2V0Yy9wYXNzd2Q%3D%7D%7C%7Bbase64%2C-d%7D%7Cbash
url/modules/backup_restore/restore.php?filename=x%7C%7Becho,Y2F0IC4uLy4uLy4uLy4uLy4uLy4uL2V0Yy9wYXNzd2Q=%7D%7C%7Bbase64,-d%7D%7Cbash
path/modules/backup_restore/restore.php
  • Exploit sends a POST to /index.php?menu=asterisk_cli with the 'txtCommand' parameter containing a pipe-chained OS command injection payload using base64-encoded shell commands (e.g., cat /etc/passwd).
  • A secondary exploitation step issues a GET request to /modules/backup_restore/restore.php with a 'filename' parameter containing a pipe-injected base64/bash payload, indicating chained exploitation across two endpoints.
  • Successful exploitation is confirmed by the presence of 'root:.*:0:0:' (passwd file content) in the HTTP response body, indicating /etc/passwd was read via command injection.
  • The attack requires prior authentication; monitor for login attempts to Issabel PBX followed immediately by POST requests to the asterisk_cli menu endpoint.
  • FOFA query 'title="issabel"' can be used to identify exposed Issabel PBX instances on the internet for proactive asset discovery.
  • ·Exploitation requires valid credentials (authenticated attack); the injected commands are base64-encoded and piped through bash, which may evade simple string-match WAF rules.
  • ·The Nuclei template requires supplying valid username and password variables; detections based solely on the exploit payload will miss cases where attackers use different credentials or session tokens obtained out-of-band.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.05.8MEDIUMAV:N/AC:L/Au:M/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.