cbcvebase.
CVE-2024-48766
published 2025-05-13

CVE-2024-48766: NetAlertX 24.7.18 before 24.10.12 allows unauthenticated file reading because an HTTP client can ignore a redirect, and because of factors related to strpos…

PriorityP186high8.6CVSS 3.1
AVNACLPRNUINSCCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
56.95%
98.9th percentile
NetAlertX 24.7.18 before 24.10.12 allows unauthenticated file reading because an HTTP client can ignore a redirect, and because of factors related to strpos and directory traversal, as exploited in the wild in May 2025. This is related to components/logs.php.

Affected

1 ranges
VendorProductVersion rangeFixed in
netalertxnetalertx>= 24.7.18 < 24.10.1224.10.12

Detection & IOCsextracted from sources · hover to see the quote

path/php/components/logs.php
path../../../../..//etc/passwd
otheritems=[{"buttons":[{"labelStringCode":"Maint_PurgeLog","event":"logManage(app.log, cleanLog)"},{"labelStringCode":"Maint_RestartServer","event":"askRestartBackend()"}],"fileName":"{{filename}}","filePath":"../../../../..//etc/passwd","textAreaCssClass":"logs"}]
sigma
regex('root:.*:0:0:', body) AND contains(body, 'Purge log') AND status_code == 200
  • Look for unauthenticated POST requests to /php/components/logs.php containing a 'filePath' parameter with directory traversal sequences (e.g., '../../../../../').
  • HTTP clients may ignore redirects to bypass authentication on the logs.php endpoint — monitor for direct POST requests to this endpoint without a prior authenticated session.
  • Inspect POST body for the JSON structure containing 'filePath' with traversal patterns and 'textAreaCssClass':'logs' as a fingerprint of exploit attempts.
  • Alert on HTTP 200 responses from /php/components/logs.php that contain 'root:' passwd-style content or 'Purge log' in the body, indicating successful file read exploitation.
  • FOFA/Shodan fingerprint 'NetAlert X' can be used to identify exposed instances for proactive scanning.
  • ·Vulnerability affects NetAlertX versions v24.7.18 through v24.9.12 (NVD states before v24.10.12). Ensure version scoping is correct when deploying detections — patched instances running v24.10.12+ should not be flagged.
  • ·The bypass relies on strpos logic weaknesses combined with directory traversal — detection rules based solely on path traversal strings may miss variants that use alternate encodings or double slashes (e.g., '/../../../../..//').
  • ·This vulnerability was exploited in the wild as of May 2025; treat any unpatched internet-exposed NetAlertX instance as actively targeted.

CVSS provenance

nvdv3.18.6HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
vulncheck8.6HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.