CVE-2024-46506
published 2025-05-13CVE-2024-46506: NetAlertX 23.01.14 through 24.x before 24.10.12 allows unauthenticated command injection via settings update because function=savesettings lacks an…
PriorityP195critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
50.23%
98.8th percentile
NetAlertX 23.01.14 through 24.x before 24.10.12 allows unauthenticated command injection via settings update because function=savesettings lacks an authentication requirement, as exploited in the wild in May 2025. This is related to settings.php and util.php.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| netalertx | netalertx | >= 23.01.14 < 24.10.12 | 24.10.12 |
Detection & IOCsextracted from sources · hover to see the quote
commandfunction=savesettings&settings=[["DBCLNP","DBCLNP_RUN","string","schedule"],["DBCLNP","DBCLNP_CMD","string","{{marker}}"],["DBCLNP","DBCLNP_RUN_SCHD","string","* * * * *"]]↗
- →Detect unauthenticated POST requests to /php/server/util.php with the body parameter function=savesettings — no authentication headers required, indicating exploitation attempt. ↗
- →Look for POST requests to /php/server/util.php with function=addToExecutionQueue and a pipe character (|) in the action parameter, which is used to chain the cron_restart_backend command after injecting a payload. ↗
- →Monitor for writes to DBCLNP_CMD setting via savesettings, particularly with cron-schedule strings (DBCLNP_RUN_SCHD: * * * * *), indicating an attacker scheduling arbitrary command execution. ↗
- →Use FOFA/Shodan fingerprint title="netalertx" to identify exposed NetAlertX instances for proactive asset identification and patching prioritization. ↗
- →A Metasploit module exists for this CVE; monitor for exploitation patterns consistent with the module's HTTP request sequence against /php/server/util.php. ↗
- →Confirm exploitation by checking GET /api/table_settings.json for unexpected or attacker-controlled values in DBCLNP_CMD, which persists the injected command. ↗
- ·The vulnerability is exploited via two sequential unauthenticated POST requests to util.php — first to inject a command via savesettings, then to trigger execution via addToExecutionQueue. Detection logic must account for this two-step attack chain. ↗
- ·The injected command is executed via a cron-like scheduler (DBCLNP_RUN_SCHD: * * * * *), meaning payload execution may be delayed by up to one minute after the initial settings injection request. ↗
- ·This vulnerability was actively exploited in the wild as of May 2025; treat any NetAlertX instance below version 24.10.12 as critically exposed. ↗
CVSS provenance
nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
vulncheck10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-3qp4-7wm4-9hhr: NetAlertX 23
ghsa_unreviewed·2025-05-13
CVE-2024-46506 [CRITICAL] CWE-306 GHSA-3qp4-7wm4-9hhr: NetAlertX 23
NetAlertX 23.01.14 through 24.x before 24.10.12 allows unauthenticated command injection via settings update because function=savesettings lacks an authentication requirement, as exploited in the wild in May 2025. This is related to settings.php and util.php.
VulnCheck
netalertx netalertx Missing Authentication for Critical Function
vulncheck·2024·CVSS 10.0
CVE-2024-46506 [CRITICAL] netalertx netalertx Missing Authentication for Critical Function
netalertx netalertx Missing Authentication for Critical Function
NetAlertX 23.01.14 through 24.x before 24.10.12 allows unauthenticated command injection via settings update because function=savesettings lacks an authentication requirement, as exploited in the wild in May 2025. This is related to settings.php and util.php.
Affected: NetAlertX NetAlertX
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.cve.org/CVERecord?id=CVE-2024-46506; https://app.crowdsec.net/cti/cve-explorer/CVE-2024-46506; https://api.vulncheck.com/v3/index/vulncheck-canaries?cve=CVE-2024-46506&date=2025-10-17; https://api.vulncheck.com/v3/index/vulncheck-canaries?cve=CVE-2
No detection rules found.
Nuclei
NetAlertX 23.01.14–24.x < 24.10.12 - Remote Code Execution
nuclei·CVSS 10.0
CVE-2024-46506 [CRITICAL] NetAlertX 23.01.14–24.x < 24.10.12 - Remote Code Execution
NetAlertX 23.01.14–24.x < 24.10.12 - Remote Code Execution
NetAlertX 23.01.14 through 24.x before 24.10.12 allows unauthenticated command injection via settings update because function=savesettings lacks an authentication requirement, as exploited in the wild in May 2025. This is related to settings.php and util.php.
Template:
id: CVE-2024-46506
info:
name: NetAlertX 23.01.14–24.x < 24.10.12 - Remote Code Execution
author: s4e-io
severity: critical
description: |
NetAlertX 23.01.14 through 24.x before 24.10.12 allows unauthenticated command injection via settings update because function=savesettings lacks an authentication requirement, as exploited in the wild in May 2025. This is related to settings.php and util.php.
impact: |
Unauthenticated attackers can execute arbitrary commands o
Metasploit
Unauthenticated RCE in NetAlertX
metasploit
Unauthenticated RCE in NetAlertX
Unauthenticated RCE in NetAlertX
An attacker can update NetAlertX settings with no authentication, which results in RCE.
No writeups or analysis indexed.
2025-05-13
Published
Exploited in the wild