cbcvebase.
CVE-2024-7120
published 2024-07-26

CVE-2024-7120: A vulnerability, which was classified as critical, was found in Raisecom MSG1200, MSG2100E, MSG2200 and MSG2300 3.90. This affects an unknown part of the file…

PriorityP191critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
93.40%
99.8th percentile
A vulnerability, which was classified as critical, was found in Raisecom MSG1200, MSG2100E, MSG2200 and MSG2300 3.90. This affects an unknown part of the file list_base_config.php of the component Web Interface. The manipulation of the argument template leads to os command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-272451.

Affected

8 ranges
VendorProductVersion rangeFixed in
raisecommsg1200
raisecommsg1200_firmware
raisecommsg2100e
raisecommsg2100e_firmware
raisecommsg2200
raisecommsg2200_firmware
raisecommsg2300
raisecommsg2300_firmware

Detection & IOCsextracted from sources · hover to see the quote

path/vpn/list_base_config.php
path/www/tmp/info.html
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Raisecom MSG Series Gateway Command Injection Attempt (CVE-2024-7120)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/vpn/list_base_config.php?"; fast_pattern; startswith; content:"type=mod"; content:"parts=base_config"; content:"template="; pcre:"/^.{0,20}(?:\x60|\x3b|%60|%3[Bb])/R"; reference:url,github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-7120.yaml; reference:cve,2024-7120; classtype:attempted-admin; sid:2056282; rev:1; metadata:affected_product Raisecom, attack_target Networking_Equipment, tls_state plaintext, created_at 2024_09_27, cve CVE_2024_7120, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, updated_at 2024_09_27; target:dest_ip;)
  • Exploit targets the `template` parameter of list_base_config.php via backtick (`) or semicolon (;) command injection — look for URL-encoded %60 or %3B in the `template=` query parameter
  • Attack is a two-stage HTTP GET sequence: first injects a command writing output to /www/tmp/info.html, then retrieves /tmp/info.html to confirm execution
  • FOFA fingerprint for exposed Raisecom devices: '"Web user login" && ""' — use to identify internet-facing targets
  • URI must start with /vpn/list_base_config.php? and contain both type=mod and parts=base_config to match the vulnerable endpoint
  • Exploitation requires authentication (low-privilege); monitor authenticated sessions on Raisecom web interfaces for anomalous GET requests to list_base_config.php
  • ·The vulnerability is only exploitable over plaintext HTTP (not TLS); perimeter detection should focus on unencrypted traffic
  • ·EPSS score of 0.9226 (99.7th percentile) indicates very high likelihood of active exploitation in the wild

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.05.3MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vulncheck5.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.