CVE-2024-25830
published 2024-02-29CVE-2024-25830: F-logic DataCube3 v1.0 is vulnerable to Incorrect Access Control due to an improper directory access restriction. An unauthenticated, remote attacker can…
PriorityP180critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
24.03%
97.6th percentile
F-logic DataCube3 v1.0 is vulnerable to Incorrect Access Control due to an improper directory access restriction. An unauthenticated, remote attacker can exploit this, by sending a URI that contains the path of the configuration file. A successful exploit could allow the attacker to extract the root and admin password.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| f-logic | datacube3_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Unauthenticated GET request to /admin/config_all.php leaks root and admin credentials; monitor for unauthenticated access (no session cookie) to this path returning HTTP 200 instead of 302. ↗
- →Exploit chain begins with unauthenticated GET to /admin/config_all.php; a non-302 response indicates the device is exposed and vulnerable. ↗
- →Uploaded PHP reverse shell is placed under /images/slideshow/; monitor for new .php files created in this web-accessible directory. ↗
- →POST login to /admin/config_all.php uses user_id=root with a leaked password; alert on POST requests to this endpoint with user_id=root from external/untrusted sources. ↗
- →Multipart boundary '-----------------------------113389720123090127612523184396' is hardcoded in the PoC exploit; presence of this exact boundary in HTTP traffic is a strong indicator of exploit tool usage. ↗
- ·The credential leak endpoint (/admin/config_all.php) returns a 302 redirect for authenticated/normal access; the exploit relies on the server returning HTTP 200 with config data to unauthenticated requests — detection logic should flag 200 responses to this path from unauthenticated sessions. ↗
- ·The exploit targets DataCube3 version 1.0 running on Ubuntu; the unrestricted file upload (CVE-2024-25832) is chained after the credential leak (CVE-2024-25830) to achieve RCE — both CVEs must be present for the full exploit chain to succeed. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2024-02-29
Published