CVE-2024-4978
published 2024-05-23CVE-2024-4978: Justice AV Solutions Viewer Setup 8.3.7.250-1 contains a malicious binary when executed and is signed with an unexpected authenticode signature. A remote…
PriorityP181high8.4CVSS 3.1
AVNACLPRHUIRSCCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2024-06-19
Exploited in the wild
EPSS
26.94%
97.8th percentile
Justice AV Solutions Viewer Setup 8.3.7.250-1 contains a malicious binary when executed and is signed with an unexpected authenticode signature. A remote, privileged threat actor may exploit this vulnerability to execute of unauthorized PowerShell commands.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| javs | javs_viewer | — | — |
| justice_av_solutions | viewer | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/gateway/register
snort
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Justice AV Solutions Viewer Backdoor CnC Checkin (CVE-2024-4978)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:17; content:"/gateway/register"; http.request_body; content:"|7b 22|hostname|22 3a 22|"; startswith; content:"|22 2c 22|arch|22 3a 22|AMD64|22 2c 22|os_version|22 3a 22|Windows"; fast_pattern; within:200; reference:cve,2024-4978; reference:url,www.rapid7.com/blog/post/2024/05/23/cve-2024-4978-backdoored-justice-av-solutions-viewer-software-used-in-apparent-supply-chain-attack; classtype:trojan-activity; sid:2053040; rev:1; metadata:attack_target Client_and_Server, tls_state plaintext, created_at 2024_05_30, cve CVE_2024_4978, deployment Perimeter, performance_impact Low, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2024_05_30; target:src_ip;)
bytes
|7b 22|hostname|22 3a 22| ... |22 2c 22|arch|22 3a 22|AMD64|22 2c 22|os_version|22 3a 22|Windows
- →The malware sends system information to its C2 server via HTTP POST to /gateway/register with a JSON body containing hostname, arch (AMD64), and os_version (Windows) fields — detectable in plaintext (unencrypted) traffic. ↗
- →Post-compromise, look for execution of two obfuscated PowerShell scripts attempting to disable ETW and bypass AMSI — these are strong behavioral indicators of a compromised JAVS endpoint. ↗
- →Watch for Python scripts dropped and executed post-infection that collect credentials from web browsers — indicative of the secondary payload stage. ↗
- →The backdoored installer is signed with an unexpected/unauthorized Authenticode signature — verify code-signing certificate details on any JAVS installer as a detection/triage step. ↗
- →The malicious binary is named fffmpeg.exe (triple 'f') — presence of this file on an endpoint is a high-confidence indicator of compromise; distinguish from the legitimate ffmpeg.exe. ↗
- →The Snort/ET rule (sid:2053040) targets plaintext HTTP only (tls_state plaintext) — ensure network monitoring covers unencrypted outbound HTTP from endpoints running JAVS software.
- ·JAVS confirmed that no source code, certificates, systems, or other software releases were compromised — only the specific Viewer 8.3.7 installer was affected; version 8.3.9 or higher is safe. ↗
CVSS provenance
nvdv3.18.4HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck8.7HIGH
cisa8.7HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-wf54-f8v9-v72v: Justice AV Solutions Viewer Setup 8
ghsa_unreviewed·2024-05-23
CVE-2024-4978 [HIGH] CWE-502 GHSA-wf54-f8v9-v72v: Justice AV Solutions Viewer Setup 8
Justice AV Solutions Viewer Setup 8.3.7.250-1 contains a malicious binary when executed and is signed with an unexpected authenticode signature. A remote, privileged threat actor may exploit this vulnerability to execute of unauthorized PowerShell commands.
VulnCheck
Justice AV Solutions (JAVS) Viewer Installer Embedded Malicious Code Vulnerability
vulncheck·2024·CVSS 8.7
CVE-2024-4978 [HIGH] CWE-506 Justice AV Solutions (JAVS) Viewer Installer Embedded Malicious Code Vulnerability
Justice AV Solutions (JAVS) Viewer Installer Embedded Malicious Code Vulnerability
Justice AV Solutions (JAVS) Viewer installer contains a malicious version of ffmpeg.exe, named fffmpeg.exe (SHA256: 421a4ad2615941b177b6ec4ab5e239c14e62af2ab07c6df1741e2a62223223c4). When run, this creates a backdoor connection to a malicious C2 server.
Affected: Justice AV Solutions Viewer
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.rapid7.com/blog/post/2024/05/23/cve-2024-4978-backdoored-justice-av-solutions-viewer-software-used-in-apparent-supply-chain-attack/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.cert.europa.eu/publications/t
CISA
Justice AV Solutions (JAVS) Viewer Installer Embedded Malicious Code Vulnerability
cisa·2024-05-29·CVSS 8.7
CVE-2024-4978 [HIGH] CWE-506 Justice AV Solutions (JAVS) Viewer Installer Embedded Malicious Code Vulnerability
Vulnerability: Justice AV Solutions (JAVS) Viewer Installer Embedded Malicious Code Vulnerability
Affected: Justice AV Solutions Viewer
Justice AV Solutions (JAVS) Viewer installer contains a malicious version of ffmpeg.exe, named fffmpeg.exe (SHA256: 421a4ad2615941b177b6ec4ab5e239c14e62af2ab07c6df1741e2a62223223c4). When run, this creates a backdoor connection to a malicious C2 server.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: Please follow the vendor’s instructions as outlined in the public statements at https://www.rapid7.com/blog/post/2024/05/23/cve-2024-4978-backdoored-justice-av-solutions-viewer-software-used-in-apparent-supply-chain-attack#remediation and https://www.javs.com/downloads; http
Suricata
ET MALWARE Justice AV Solutions Viewer Backdoor CnC Checkin (CVE-2024-4978)
suricata·2024-05-30·CVSS 8.7
CVE-2024-4978 [HIGH] ET MALWARE Justice AV Solutions Viewer Backdoor CnC Checkin (CVE-2024-4978)
ET MALWARE Justice AV Solutions Viewer Backdoor CnC Checkin (CVE-2024-4978)
Rule: alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Justice AV Solutions Viewer Backdoor CnC Checkin (CVE-2024-4978)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:17; content:"/gateway/register"; http.request_body; content:"|7b 22|hostname|22 3a 22|"; startswith; content:"|22 2c 22|arch|22 3a 22|AMD64|22 2c 22|os_version|22 3a 22|Windows"; fast_pattern; within:200; reference:cve,2024-4978; reference:url,www.rapid7.com/blog/post/2024/05/23/cve-2024-4978-backdoored-justice-av-solutions-viewer-software-used-in-apparent-supply-chain-attack; classtype:trojan-activity; sid:2053040; rev:1; metadata:attack_target Client_and_Server, tls_state plaintext, created_at 2024_05_30, c
No public exploits indexed.
https://twitter.com/2RunJack2/status/1775052981966377148https://www.javs.com/downloads/https://www.rapid7.com/blog/post/2024/05/23/cve-2024-4978-backdoored-justice-av-solutions-viewer-software-used-in-apparent-supply-chain-attack/https://twitter.com/2RunJack2/status/1775052981966377148https://www.javs.com/downloads/https://www.rapid7.com/blog/post/2024/05/23/cve-2024-4978-backdoored-justice-av-solutions-viewer-software-used-in-apparent-supply-chain-attack/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-4978
2024-05-23
Published
2024-05-29
Added to CISA KEV
Exploited in the wild