⚠ Actively exploited

Added to CISA KEV on 2024-09-18. Federal agencies required to patch by 2024-10-09. Required action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable..

CVE-2024-27348 — Improper Access Control in Software Foundation Apache Hugegraph-server

CWE-284 — Improper Access Control CWE-77 — Command Injection12 documents11 sources

Severity

9.8CRITICALNVD

EPSS

94.3%

top 0.04%

CISA KEV

KEV

Added 2024-09-18

Due 2024-10-09

Exploit

Exploited in wild

Active exploitation observed

Affected products

Apache Software Foundation Apache Hugegraph-server Apache Hugegraph

Timeline

PublishedApr 22

KEV addedSep 18

KEV dueOct 9

Latest updateApr 10

CISA Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Description

RCE-Remote Command Execution vulnerability in Apache HugeGraph-Server.This issue affects Apache HugeGraph-Server: from 1.0.0 before 1.3.0 in Java8 & Java11 Users are recommended to upgrade to version 1.3.0 with Java11 & enable the Auth system, which fixes the issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

▶CVEListV5apache_software_foundation/apache_hugegraph-server1.0.0 — 1.3.0

▶NVDapache/hugegraph1.0.0 — 1.3.0

🔴Vulnerability Details

CVEList

Apache HugeGraph-Server: Command execution in gremlin↗2024-04-22

▶

GHSA

Apache HugeGraph-Server: Command execution in gremlin↗2024-04-22

▶

OSV

Apache HugeGraph-Server: Command execution in gremlin↗2024-04-22

▶

VulnCheck

Apache HugeGraph-Server Improper Access Control Vulnerability↗2024

▶

💥Exploits & PoCs

Exploit-DB

Apache HugeGraph Server 1.2.0 - Remote Code Execution (RCE)↗2025-04-09

▶

Nuclei

Apache HugeGraph-Server - Remote Command Execution

▶

Metasploit

Apache HugeGraph Gremlin RCE↗

▶

🔍Detection Rules

Suricata

ET WEB_SPECIFIC_APPS Apache HugeGraph <1.2.0 Unauthenticated Remote Code Execution (CVE-2024-27348)↗2025-04-10

▶

Suricata

ET WEB_SPECIFIC_APPS Apache HugeGraph Gremlin SecurityManager Reflection Filter Bypass (CVE-2024-27348)↗2024-09-30

▶

📋Vendor Advisories

CISA

Apache HugeGraph-Server Improper Access Control Vulnerability↗2024-09-18

▶

🕵️Threat Intelligence

Bleepingcomputer

CISA warns of actively exploited Apache HugeGraph-Server bug↗2024-09-19

▶