cbcvebase.
CVE-2024-24578
published 2024-03-18

CVE-2024-24578: RaspberryMatic is an open-source operating system for HomeMatic internet-of-things devices. RaspberryMatic / OCCU prior to version 3.75.6.20240316 contains a…

PriorityP275critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
8.74%
94.5th percentile
RaspberryMatic is an open-source operating system for HomeMatic internet-of-things devices. RaspberryMatic / OCCU prior to version 3.75.6.20240316 contains a unauthenticated remote code execution (RCE) vulnerability, caused by multiple issues within the Java based `HMIPServer.jar` component. RaspberryMatric includes a Java based `HMIPServer`, that can be accessed through URLs starting with `/pages/jpages`. The `FirmwareController` class does however not perform any session id checks, thus this feature can be accessed without a valid session. Due to this issue, attackers can gain remote code execution as root user, allowing a full system compromise. Version 3.75.6.20240316 contains a patch.

Affected

2 ranges
VendorProductVersion rangeFixed in
jens-mausraspberrymatic< 3.75.6.202403163.75.6.20240316
raspberrymaticraspberrymatic< 3.75.6.202403163.75.6.20240316

Detection & IOCsextracted from sources · hover to see the quote

url/pages/jpages
url/pages/jpages/system/DeviceFirmware/addFirmware
path/usr/local/addons/mediola/bin/
  • Monitor for unauthenticated HTTP requests to `/pages/jpages` endpoints, particularly POST requests to `/pages/jpages/system/DeviceFirmware/addFirmware` without a valid session cookie — these indicate exploitation attempts.
  • Detect upload of `.tgz` archives containing path traversal sequences (`../`) in filenames, indicative of a Zip Slip attack targeting the firmware upload endpoint.
  • Alert on unexpected file writes or modifications to `/usr/local/addons/mediola/bin/` — particularly the watchdog script — as this is the target for payload persistence via cron-based execution.
  • Monitor for processes spawned as root originating from cron jobs executing scripts under `/usr/local/addons/mediola/bin/`, which may indicate successful exploitation and RCE.
  • ·The vulnerability affects RaspberryMatic / OCCU versions up to and including `3.73.9.20240130` (per Metasploit module) and prior to `3.75.6.20240316` (per NVD). Ensure version checks in detection logic account for this range.
  • ·The exploit leverages the Java-based `HMIPServer.jar` component. Detection or patching efforts should confirm whether the patched version (3.75.6.20240316) has been applied to this specific component.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.