cbcvebase.
CVE-2024-39844
published 2024-07-03

CVE-2024-39844: In ZNC before 1.9.1, remote code execution can occur in modtcl via a KICK.

PriorityP265critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
3.86%
88.9th percentile
In ZNC before 1.9.1, remote code execution can occur in modtcl via a KICK.

Affected

5 ranges
VendorProductVersion rangeFixed in
debianznc< znc 1.8.2-3.1+deb12u1 (bookworm)znc 1.8.2-3.1+deb12u1 (bookworm)
zncznc>= 0 < 1.8.2-2+deb11u11.8.2-2+deb11u1
zncznc>= 0 < 1.8.2-3.1+deb12u11.8.2-3.1+deb12u1
zncznc>= 0 < 1.9.1-11.9.1-1
zncznc>= 0 < 1.9.1-11.9.1-1

Detection & IOCsextracted from sources · hover to see the quote

  • Vulnerability is triggered via a KICK IRC command in ZNC's modtcl module, enabling remote code execution. Monitor for unexpected KICK commands processed by ZNC instances running modtcl.
  • Attack vector requires the ZNC user to be connected to a malicious IRC server. Investigate ZNC server connections to untrusted or unknown IRC servers.
  • ·The vulnerability only affects ZNC instances with the modtcl module loaded. Verify whether modtcl is enabled before prioritizing remediation.
  • ·Fixed in ZNC 1.9.1. Debian bookworm fix is in 1.8.2-3.1+deb12u1, bullseye in 1.8.2-2+deb11u1. Ensure patched versions are deployed.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_debian9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.