CVE-2024-7120
published 2024-07-26CVE-2024-7120: A vulnerability, which was classified as critical, was found in Raisecom MSG1200, MSG2100E, MSG2200 and MSG2300 3.90. This affects an unknown part of the file…
PriorityP191critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
93.40%
99.8th percentile
A vulnerability, which was classified as critical, was found in Raisecom MSG1200, MSG2100E, MSG2200 and MSG2300 3.90. This affects an unknown part of the file list_base_config.php of the component Web Interface. The manipulation of the argument template leads to os command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-272451.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| raisecom | msg1200 | — | — |
| raisecom | msg1200_firmware | — | — |
| raisecom | msg2100e | — | — |
| raisecom | msg2100e_firmware | — | — |
| raisecom | msg2200 | — | — |
| raisecom | msg2200_firmware | — | — |
| raisecom | msg2300 | — | — |
| raisecom | msg2300_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Raisecom MSG Series Gateway Command Injection Attempt (CVE-2024-7120)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/vpn/list_base_config.php?"; fast_pattern; startswith; content:"type=mod"; content:"parts=base_config"; content:"template="; pcre:"/^.{0,20}(?:\x60|\x3b|%60|%3[Bb])/R"; reference:url,github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-7120.yaml; reference:cve,2024-7120; classtype:attempted-admin; sid:2056282; rev:1; metadata:affected_product Raisecom, attack_target Networking_Equipment, tls_state plaintext, created_at 2024_09_27, cve CVE_2024_7120, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, updated_at 2024_09_27; target:dest_ip;)- →Exploit targets the `template` parameter of list_base_config.php via backtick (`) or semicolon (;) command injection — look for URL-encoded %60 or %3B in the `template=` query parameter
- →Attack is a two-stage HTTP GET sequence: first injects a command writing output to /www/tmp/info.html, then retrieves /tmp/info.html to confirm execution
- →FOFA fingerprint for exposed Raisecom devices: '"Web user login" && ""' — use to identify internet-facing targets
- →URI must start with /vpn/list_base_config.php? and contain both type=mod and parts=base_config to match the vulnerable endpoint
- →Exploitation requires authentication (low-privilege); monitor authenticated sessions on Raisecom web interfaces for anomalous GET requests to list_base_config.php
- ·The vulnerability is only exploitable over plaintext HTTP (not TLS); perimeter detection should focus on unencrypted traffic
- ·EPSS score of 0.9226 (99.7th percentile) indicates very high likelihood of active exploitation in the wild
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.05.3MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vulncheck5.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-9254-9wvc-gmqr: A vulnerability, which was classified as critical, was found in Raisecom MSG1200, MSG2100E, MSG2200 and MSG2300 3
ghsa_unreviewed·2024-07-26
CVE-2024-7120 [MEDIUM] CWE-78 GHSA-9254-9wvc-gmqr: A vulnerability, which was classified as critical, was found in Raisecom MSG1200, MSG2100E, MSG2200 and MSG2300 3
A vulnerability, which was classified as critical, was found in Raisecom MSG1200, MSG2100E, MSG2200 and MSG2300 3.90. This affects an unknown part of the file list_base_config.php of the component Web Interface. The manipulation of the argument template leads to os command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-272451.
VulnCheck
raisecom msg2300_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2024·CVSS 5.3
CVE-2024-7120 [MEDIUM] raisecom msg2300_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
raisecom msg2300_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
A vulnerability, which was classified as critical, was found in Raisecom MSG1200, MSG2100E, MSG2200 and MSG2300 3.90. This affects an unknown part of the file list_base_config.php of the component Web Interface. The manipulation of the argument template leads to os command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-272451.
Affected: raisecom msg2300_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: http
Suricata
ET WEB_SPECIFIC_APPS Raisecom MSG Series Gateway Command Injection Attempt (CVE-2024-7120)
suricata·2024-09-27·CVSS 5.3
CVE-2024-7120 [MEDIUM] ET WEB_SPECIFIC_APPS Raisecom MSG Series Gateway Command Injection Attempt (CVE-2024-7120)
ET WEB_SPECIFIC_APPS Raisecom MSG Series Gateway Command Injection Attempt (CVE-2024-7120)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Raisecom MSG Series Gateway Command Injection Attempt (CVE-2024-7120)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/vpn/list_base_config.php?"; fast_pattern; startswith; content:"type=mod"; content:"parts=base_config"; content:"template="; pcre:"/^.{0,20}(?:\x60|\x3b|%60|%3[Bb])/R"; reference:url,github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-7120.yaml; reference:cve,2024-7120; classtype:attempted-admin; sid:2056282; rev:1; metadata:affected_product Raisecom, attack_target Networking_Equipment, tls_state plaintext, created_at 2024_09_27, cve CVE_2024_7120, deployment P
Nuclei
Raisecom MSG1200, MSG2100E, MSG2200 and MSG2300 3.90 - Command Injection
nuclei·CVSS 5.3
CVE-2024-7120 [MEDIUM] Raisecom MSG1200, MSG2100E, MSG2200 and MSG2300 3.90 - Command Injection
Raisecom MSG1200, MSG2100E, MSG2200 and MSG2300 3.90 - Command Injection
A vulnerability, which was classified as critical, was found in Raisecom MSG1200, MSG2100E, MSG2200 and MSG2300 3.90. This affects an unknown part of the file list_base_config.php of the component Web Interface. The manipulation of the argument template leads to os command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-272451.
Template:
id: CVE-2024-7120
info:
name: Raisecom MSG1200, MSG2100E, MSG2200 and MSG2300 3.90 - Command Injection
author: pussycat0x
severity: medium
description: |
A vulnerability, which was classified as critical, was found in Raisecom MSG1200, MSG2100E, MSG2200 a
arXiv
TORCHLIGHT: Shedding LIGHT on Real-World Attacks on Cloudless IoT Devices Concealed within the Tor Network
arxiv_fulltext·2025-01-28
TORCHLIGHT: Shedding LIGHT on Real-World Attacks on Cloudless IoT Devices Concealed within the Tor Network
TORchlight: Shedding Light on Real-World Attacks on Cloudless IoT Devices Concealed within the Tor Network
Yumingzhi Pan^ , Zhen Ling^ Corresponding author: Prof. Zhen Ling of Southeast University, China., Yue Zhang^ , Hongze Wang^ , Guangchi Liu^ , Junzhou Luo^ , Xinwen Fu^
^ Southeast University, Email: \pymz, zhenling, wanghongze, gc-liu, jluo\@seu.edu.cn
^ Drexel University, Email: [email protected]
^ University of Massachusetts Lowell, Email: [email protected]
## Abstract
The rapidly expanding Internet of Things (IoT) landscape is shifting toward cloudless architectures, removing reliance on centralized cloud services but exposing devices directly to the internet and increasing their vulnerability to cyberattacks. Our research revealed an unexpected pattern of substantial Tor net
Fortinet
The Resurgence of IoT Malware: Inside the Mirai-Based Botnet Campaign | FortiGuard Labs
blogs_fortinet·2025-08-22
The Resurgence of IoT Malware: Inside the Mirai-Based Botnet Campaign | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
The Resurgence of IoT Malware: Inside the Mirai-Based Botnet Campaign
Unpacking the Mirai-based Gayfemboy botnet campaign, its evolution, global targets, and Fortinet security protections
FORTIGUARD SECURITY PORTFOLIO 2025 THREAT LANDSCAPE REPORT
Incidents
Malware Analysis
Conclusion
Fortinet Protections
IOCs
By Vincent Li | August 22, 2025
Affected Platforms: DrayTek Vigor2960 1.3.1_Beta, DrayTek Vigor3900 1.4.4_Beta, DrayTek Vigor300B 1.3.3_Beta, DrayTek Vigor300B 1.4.2.1_Beta, DrayTek Vigor300B 1.4.4_Beta, TP-Link Archer AX21 (AX1800) firmware versions before 1.1.4 Build 20230219, Raisecom MSG1200, Raisecom MSG2100E, Raisecom MSG2200, Raisecom MSG2300 3.90, Cisco ISE, Cisco ISE-PIC
Impacted Users: Any organization
Impact: Remote attackers gain control
Greynoiseio
NoiseLetter September 2024
blogs_greynoiseio
NoiseLetter September 2024
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
https://netsecfish.notion.site/Command-Injection-Vulnerability-in-RAISECOM-Gateway-Devices-673bc7d2f8db499f9de7182d4706c707?pvs=4https://vuldb.com/?ctiid.272451https://vuldb.com/?id.272451https://vuldb.com/?submit.380167https://netsecfish.notion.site/Command-Injection-Vulnerability-in-RAISECOM-Gateway-Devices-673bc7d2f8db499f9de7182d4706c707?pvs=4https://vuldb.com/?ctiid.272451https://vuldb.com/?id.272451https://vuldb.com/?submit.380167
2024-07-26
Published
Exploited in the wild