cbcvebase.
CVE-2024-25830
published 2024-02-29

CVE-2024-25830: F-logic DataCube3 v1.0 is vulnerable to Incorrect Access Control due to an improper directory access restriction. An unauthenticated, remote attacker can…

PriorityP180critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
24.03%
97.6th percentile
F-logic DataCube3 v1.0 is vulnerable to Incorrect Access Control due to an improper directory access restriction. An unauthenticated, remote attacker can exploit this, by sending a URI that contains the path of the configuration file. A successful exploit could allow the attacker to extract the root and admin password.

Affected

1 ranges
VendorProductVersion rangeFixed in
f-logicdatacube3_firmware

Detection & IOCsextracted from sources · hover to see the quote

path/admin/config_all.php
path/admin/setting_photo.php
filenamervs.php
path/images/slideshow/rvs.php
path/images/slideshow/
  • Unauthenticated GET request to /admin/config_all.php leaks root and admin credentials; monitor for unauthenticated access (no session cookie) to this path returning HTTP 200 instead of 302.
  • Exploit chain begins with unauthenticated GET to /admin/config_all.php; a non-302 response indicates the device is exposed and vulnerable.
  • Uploaded PHP reverse shell is placed under /images/slideshow/; monitor for new .php files created in this web-accessible directory.
  • POST login to /admin/config_all.php uses user_id=root with a leaked password; alert on POST requests to this endpoint with user_id=root from external/untrusted sources.
  • Multipart boundary '-----------------------------113389720123090127612523184396' is hardcoded in the PoC exploit; presence of this exact boundary in HTTP traffic is a strong indicator of exploit tool usage.
  • ·The credential leak endpoint (/admin/config_all.php) returns a 302 redirect for authenticated/normal access; the exploit relies on the server returning HTTP 200 with config data to unauthenticated requests — detection logic should flag 200 responses to this path from unauthenticated sessions.
  • ·The exploit targets DataCube3 version 1.0 running on Ubuntu; the unrestricted file upload (CVE-2024-25832) is chained after the credential leak (CVE-2024-25830) to achieve RCE — both CVEs must be present for the full exploit chain to succeed.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.