cbcvebase.
CVE-2024-4978
published 2024-05-23

CVE-2024-4978: Justice AV Solutions Viewer Setup 8.3.7.250-1 contains a malicious binary when executed and is signed with an unexpected authenticode signature. A remote…

PriorityP181high8.4CVSS 3.1
AVNACLPRHUIRSCCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2024-06-19
Exploited in the wild
EPSS
26.94%
97.8th percentile
Justice AV Solutions Viewer Setup 8.3.7.250-1 contains a malicious binary when executed and is signed with an unexpected authenticode signature. A remote, privileged threat actor may exploit this vulnerability to execute of unauthorized PowerShell commands.

Affected

2 ranges
VendorProductVersion rangeFixed in
javsjavs_viewer
justice_av_solutionsviewer

Detection & IOCsextracted from sources · hover to see the quote

filenamefffmpeg.exe
hash421a4ad2615941b177b6ec4ab5e239c14e62af2ab07c6df1741e2a62223223c4
filenameJAVS.Viewer8.Setup_8.3.7.250-1.exe
url/gateway/register
snort
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Justice AV Solutions Viewer Backdoor CnC Checkin (CVE-2024-4978)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:17; content:"/gateway/register"; http.request_body; content:"|7b 22|hostname|22 3a 22|"; startswith; content:"|22 2c 22|arch|22 3a 22|AMD64|22 2c 22|os_version|22 3a 22|Windows"; fast_pattern; within:200; reference:cve,2024-4978; reference:url,www.rapid7.com/blog/post/2024/05/23/cve-2024-4978-backdoored-justice-av-solutions-viewer-software-used-in-apparent-supply-chain-attack; classtype:trojan-activity; sid:2053040; rev:1; metadata:attack_target Client_and_Server, tls_state plaintext, created_at 2024_05_30, cve CVE_2024_4978, deployment Perimeter, performance_impact Low, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2024_05_30; target:src_ip;)
bytes
|7b 22|hostname|22 3a 22| ... |22 2c 22|arch|22 3a 22|AMD64|22 2c 22|os_version|22 3a 22|Windows
  • The malware sends system information to its C2 server via HTTP POST to /gateway/register with a JSON body containing hostname, arch (AMD64), and os_version (Windows) fields — detectable in plaintext (unencrypted) traffic.
  • Post-compromise, look for execution of two obfuscated PowerShell scripts attempting to disable ETW and bypass AMSI — these are strong behavioral indicators of a compromised JAVS endpoint.
  • Watch for Python scripts dropped and executed post-infection that collect credentials from web browsers — indicative of the secondary payload stage.
  • The backdoored installer is signed with an unexpected/unauthorized Authenticode signature — verify code-signing certificate details on any JAVS installer as a detection/triage step.
  • The malicious binary is named fffmpeg.exe (triple 'f') — presence of this file on an endpoint is a high-confidence indicator of compromise; distinguish from the legitimate ffmpeg.exe.
  • The Snort/ET rule (sid:2053040) targets plaintext HTTP only (tls_state plaintext) — ensure network monitoring covers unencrypted outbound HTTP from endpoints running JAVS software.
  • ·JAVS confirmed that no source code, certificates, systems, or other software releases were compromised — only the specific Viewer 8.3.7 installer was affected; version 8.3.9 or higher is safe.

CVSS provenance

nvdv3.18.4HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck8.7HIGH
cisa8.7HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.