cbcvebase.
CVE-2024-2330
published 2024-03-09

CVE-2024-2330: A vulnerability was found in Netentsec NS-ASG Application Security Gateway 6.3. It has been classified as critical. This affects an unknown part of the file…

PriorityP185critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
17.62%
96.8th percentile
A vulnerability was found in Netentsec NS-ASG Application Security Gateway 6.3. It has been classified as critical. This affects an unknown part of the file /protocol/index.php. The manipulation of the argument IPAddr leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-256281 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Affected

2 ranges
VendorProductVersion rangeFixed in
netentsecapplication_security_gateway
netentsecns-asg_application_security_gateway

Detection & IOCsextracted from sources · hover to see the quote

path/protocol/index.php
commandjsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}
yara
contains_all(body,"XPATH syntax error:","alert") && contains(header,"text/html")
  • Detect exploitation attempts by monitoring POST requests to /protocol/index.php containing the 'addmacbind' protocolType and SQL injection payloads in the IPAddr field (e.g., updatexml, concat(0x7e,...)).
  • A successful exploitation response will contain the string 'XPATH syntax error:' in the response body along with an 'alert' string and Content-Type: text/html header.
  • Extract the leaked database version from the error-based SQLi response using the regex pattern: XPATH syntax error: '([~0-9.]+)'
  • The SQL injection is triggered via the IPAddr parameter within a JSON payload sent as application/x-www-form-urlencoded to /protocol/index.php; monitor for single-quote characters and SQL keywords in this field.
  • ·The vulnerability requires authentication (PR:L in CVSS); ensure detection rules account for authenticated sessions, as unauthenticated probes to /protocol/index.php may not reach the vulnerable code path.
  • ·The EPSS score is extremely high (0.92746, 99.755th percentile), indicating this CVE is very likely being actively exploited in the wild; prioritize detection and patching accordingly.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vulncheck6.3MEDIUM
vendor_redhat7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.