CVE-2024-8525
published 2024-11-21CVE-2024-8525: An unrestricted upload of file with dangerous type in Automated Logic WebCTRL 7.0 could allow an unauthenticated user to perform remote command execution via a…
PriorityP261critical10CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCHSIHSAHEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
1.43%
69.7th percentile
An unrestricted upload of file with dangerous type in Automated Logic WebCTRL 7.0 could allow an unauthenticated user to perform remote command execution via a crafted HTTP POST request which could lead to uploading a malicious file.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| automated_logic_a_carrier_company | webctrl | — | — |
| carrier | i-vu | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unauthenticated HTTP POST requests uploading files to Automated Logic WebCTRL 7.0, which may indicate exploitation of the unrestricted file upload vulnerability (CVE-2024-8525) for remote command execution. ↗
- →Monitor for unauthenticated file upload attempts on WebCTRL 7.0 endpoints; successful exploitation allows arbitrary command execution on the server without authentication (PR:N, UI:N). ↗
- →Alert on requests to index.jsp with external redirect parameters from authenticated sessions, which may indicate open redirect abuse (CVE-2024-8526) chained with CVE-2024-8525. ↗
- ·CVE-2024-8525 affects specifically version 7.0 of all listed products (WebCTRL Server, Carrier i-Vu, SiteScan Web, WebCTRL for OEMs); version 7.0 reached end-of-support on 1/27/2023, meaning no further patches will be issued for this version beyond the available update. ↗
- ·No known public exploitation specifically targeting CVE-2024-8525 had been reported to CISA at time of advisory publication (November 21, 2024). ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-11-21
Published