cbcvebase.
CVE-2024-54767
published 2025-01-06

CVE-2024-54767: An access control issue in the component /juis_boxinfo.xml of AVM FRITZ!Box 7530 AX v7.59 allows attackers to obtain sensitive information without…

PriorityP354high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
1.77%
75.4th percentile
An access control issue in the component /juis_boxinfo.xml of AVM FRITZ!Box 7530 AX v7.59 allows attackers to obtain sensitive information without authentication. NOTE: this is disputed by the Supplier because it cannot be reproduced, and the issue report focuses on an unintended configuration with direct Internet exposure.

Detection & IOCsextracted from sources · hover to see the quote

path/juis_boxinfo.xml
urlGET //juis_boxinfo.xml HTTP/1.1
otherbody="FRITZ!Box 7530"
  • HTTP GET request to double-slash path //juis_boxinfo.xml returns HTTP 200 with Content-Type text/xml and body containing '<e:BoxInfo' — indicates unauthenticated access to sensitive device info.
  • Response body contains the XML tag '<e:BoxInfo' as a positive indicator of successful unauthenticated information disclosure.
  • Response Content-Type header is 'text/xml' when the vulnerable endpoint is successfully accessed.
  • FOFA query 'body="FRITZ!Box 7530"' can be used to identify internet-exposed FRITZ!Box 7530 devices for mass scanning detection.
  • ·The vulnerability is disputed by the supplier (AVM) as it cannot be reproduced in standard configurations; the issue is reported to occur only when the device is directly exposed to the Internet (unintended configuration).
  • ·The vulnerable path uses a double-slash prefix (//juis_boxinfo.xml) rather than the canonical single-slash path, which may be relevant to bypassing access controls and should be tested specifically with the double-slash variant.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.