cbcvebase.
CVE-2024-48760
published 2025-01-14

CVE-2024-48760: An issue in GestioIP v3.5.7 allows a remote attacker to execute arbitrary code via the file upload function. The attacker can upload a malicious perlcmd.cgi…

PriorityP278critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
45.11%
98.6th percentile
An issue in GestioIP v3.5.7 allows a remote attacker to execute arbitrary code via the file upload function. The attacker can upload a malicious perlcmd.cgi file that overwrites the original upload.cgi file, enabling remote command execution.

Affected

1 ranges
VendorProductVersion rangeFixed in
gestioipgestioip

Detection & IOCsextracted from sources · hover to see the quote

path/gestioip/api/upload.cgi
filenameupload.cgi
filenameperlcmd.cgi
urlhttp://localhost/gestioip/api/upload.cgi
  • Monitor for HTTP POST requests to /gestioip/api/upload.cgi where the uploaded filename is 'upload.cgi' — this indicates the attacker is overwriting the upload handler with a backdoor.
  • Detect HTTP GET requests to /gestioip/api/upload.cgi with a QUERY_STRING parameter — the backdoor executes the query string as a shell command, so any GET with a query string to this endpoint is suspicious post-compromise.
  • Alert on the backdoor liveness check: HTTP GET to /gestioip/api/upload.cgi?whoami returning 'www-data' in the response body indicates the backdoor is active.
  • The backdoor CGI script decodes URL-encoded shell metacharacters (%20, %3b, %7c, %27, %22, %5D, %5B) from QUERY_STRING before executing them — look for these encoded characters in GET requests to upload.cgi.
  • The multipart POST upload uses form fields 'file_name' and 'leases_file' — a POST to upload.cgi with file_name value of 'upload.cgi' is a strong indicator of exploitation.
  • If GestioIP is configured with no authentication for the admin account, the vulnerability is exploitable without credentials — monitor unauthenticated POSTs to /gestioip/api/upload.cgi.
  • ·Exploitation requires admin credentials unless GestioIP is configured with no authentication for the admin account, in which case no credentials are needed.
  • ·The vulnerability is specific to GestioIP version 3.5.7; verify the deployed version before applying detections.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.