cbcvebase.
CVE-2024-48827
published 2024-10-11

CVE-2024-48827: An issue in sbondCo Watcharr v.1.43.0 allows a remote attacker to execute arbitrary code and escalate privileges via the Change Password function.

PriorityP262high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
2.72%
84.2th percentile
An issue in sbondCo Watcharr v.1.43.0 allows a remote attacker to execute arbitrary code and escalate privileges via the Change Password function.

Affected

1 ranges
VendorProductVersion rangeFixed in
sbondwatcharr

Detection & IOCsextracted from sources · hover to see the quote

url/api/auth/
url/api/server/users/{user_id}
port3080
  • Privilege escalation is performed by POSTing {"permissions": 3} to /api/server/users/{user_id} with a forged JWT Authorization header. Monitor for POST requests to /api/server/users/* with permissions value 3, 6, or 9 from non-admin sessions.
  • The exploit authenticates via POST to /api/auth/ to obtain a legitimate JWT, then immediately crafts a new token with userId=1. Correlate rapid sequential calls to /api/auth/ followed by /api/server/users/* from the same source IP.
  • userId=1 is hardcoded as the admin account in Watcharr. Flag any JWT payload where userId is set to 1 but the originating login session belonged to a different userId.
  • ·Watcharr's JWT implementation does not enforce signature verification, allowing tokens to be decoded and re-encoded with an empty secret. This is the root cause enabling the privilege escalation — any deployment of Watcharr v1.43.0 and below is affected regardless of configuration.
  • ·Partial admin privileges can also be obtained using permissions values 6 or 9, not only 3. Detection rules should cover all three values.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.