CVE-2024-48766
published 2025-05-13CVE-2024-48766: NetAlertX 24.7.18 before 24.10.12 allows unauthenticated file reading because an HTTP client can ignore a redirect, and because of factors related to strpos…
PriorityP186high8.6CVSS 3.1
AVNACLPRNUINSCCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
56.95%
98.9th percentile
NetAlertX 24.7.18 before 24.10.12 allows unauthenticated file reading because an HTTP client can ignore a redirect, and because of factors related to strpos and directory traversal, as exploited in the wild in May 2025. This is related to components/logs.php.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| netalertx | netalertx | >= 24.7.18 < 24.10.12 | 24.10.12 |
Detection & IOCsextracted from sources · hover to see the quote
otheritems=[{"buttons":[{"labelStringCode":"Maint_PurgeLog","event":"logManage(app.log, cleanLog)"},{"labelStringCode":"Maint_RestartServer","event":"askRestartBackend()"}],"fileName":"{{filename}}","filePath":"../../../../..//etc/passwd","textAreaCssClass":"logs"}]↗
sigma↗
regex('root:.*:0:0:', body) AND contains(body, 'Purge log') AND status_code == 200- →Look for unauthenticated POST requests to /php/components/logs.php containing a 'filePath' parameter with directory traversal sequences (e.g., '../../../../../'). ↗
- →HTTP clients may ignore redirects to bypass authentication on the logs.php endpoint — monitor for direct POST requests to this endpoint without a prior authenticated session. ↗
- →Inspect POST body for the JSON structure containing 'filePath' with traversal patterns and 'textAreaCssClass':'logs' as a fingerprint of exploit attempts. ↗
- →Alert on HTTP 200 responses from /php/components/logs.php that contain 'root:' passwd-style content or 'Purge log' in the body, indicating successful file read exploitation. ↗
- →FOFA/Shodan fingerprint 'NetAlert X' can be used to identify exposed instances for proactive scanning. ↗
- ·Vulnerability affects NetAlertX versions v24.7.18 through v24.9.12 (NVD states before v24.10.12). Ensure version scoping is correct when deploying detections — patched instances running v24.10.12+ should not be flagged. ↗
- ·The bypass relies on strpos logic weaknesses combined with directory traversal — detection rules based solely on path traversal strings may miss variants that use alternate encodings or double slashes (e.g., '/../../../../..//'). ↗
- ·This vulnerability was exploited in the wild as of May 2025; treat any unpatched internet-exposed NetAlertX instance as actively targeted. ↗
CVSS provenance
nvdv3.18.6HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
vulncheck8.6HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-h96f-qxw6-vq8x: NetAlertX 24
ghsa_unreviewed·2025-05-13
CVE-2024-48766 [HIGH] CWE-22 GHSA-h96f-qxw6-vq8x: NetAlertX 24
NetAlertX 24.7.18 before 24.10.12 allows unauthenticated file reading because an HTTP client can ignore a redirect, and because of factors related to strpos and directory traversal, as exploited in the wild in May 2025. This is related to components/logs.php.
VulnCheck
netalertx netalertx Execution After Redirect (EAR)
vulncheck·2024·CVSS 8.6
CVE-2024-48766 [HIGH] netalertx netalertx Execution After Redirect (EAR)
netalertx netalertx Execution After Redirect (EAR)
NetAlertX 24.7.18 before 24.10.12 allows unauthenticated file reading because an HTTP client can ignore a redirect, and because of factors related to strpos and directory traversal, as exploited in the wild in May 2025. This is related to components/logs.php.
Affected: NetAlertX NetAlertX
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-05-12&host_type=src&vulnerability=cve-2024-48766; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-05-13&host_type=src&vulnerability=cve-2024-48766; https://
No detection rules found.
Metasploit
NetAlertX File Read Vulnerability
metasploit
NetAlertX File Read Vulnerability
NetAlertX File Read Vulnerability
This module exploits improper authentication in logs.php endpoint. An unathenticated attacker can request log file and read any file due path traversal vulnerability.
Nuclei
NetAlert X - Arbitary File Read
nuclei·CVSS 8.6
CVE-2024-48766 [HIGH] NetAlert X - Arbitary File Read
NetAlert X - Arbitary File Read
A directory traversal vulnerability has been identified in NetAlertX versions v24.7.18 - v24.9.12.
Template:
id: CVE-2024-48766
info:
name: NetAlert X - Arbitary File Read
author: s4e-io
severity: critical
description: |
A directory traversal vulnerability has been identified in NetAlertX versions v24.7.18 - v24.9.12.
impact: |
This vulnerability allows remote attackers to list directories on the affected system. Successful exploitation could enable unauthorized users to explore the system’s internal structure.
remediation: |
Fixed in v24.10.12
reference:
- https://advisories.checkpoint.com/defense/advisories/public/2025/cpai-2024-1358.html
- https://github.com/rapid7/metasploit-framework/pull/19881
- https://github.com/jokob-sk/NetAlertX
classification:
No writeups or analysis indexed.
2025-05-13
Published
Exploited in the wild