CVE-2024-8877
published 2024-09-25CVE-2024-8877: Improper neutralization of special elements results in a SQL Injection vulnerability in Riello Netman 204. It is only limited to the SQLite database of…
PriorityP187critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
77.31%
99.5th percentile
Improper neutralization of special elements results in a SQL Injection vulnerability in Riello Netman 204. It is only limited to the SQLite database of measurement data.This issue affects Netman 204: through 4.05.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| riello-ups | netman_204_firmware | <= 4.05 | — |
| riello | netman_204 | <= 4.05 | — |
Detection & IOCsextracted from sources · hover to see the quote
url{{BaseURL}}/cgi-bin/db_eventlog_w.cgi?date_start=0&date_end=1715630160&gravity=%25&type=%25%27and/**/%271%27=%271↗
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Riello Netman 204 UPS SQL Injection Attempt (CVE-2024-8877)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi-bin/db_"; fast_pattern; startswith; pcre:"/^(?:eventlog|datalog|multimetr)/R"; content:"_w.cgi|3f|"; distance:0; content:"type|3d|"; distance:0; pcre:"/^[^\x26]*?(?:\x27|%27)/R"; reference:url,cyberdanube.com/security-research/multiple-vulnerabilities-in-riello-netman-204/; reference:cve,2024-8877; classtype:attempted-admin; sid:2058117; rev:1; metadata:affected_product Riello_UPS, attack_target Networking_Equipment, tls_state plaintext, created_at 2024_12_06, cve CVE_2024_8877, deployment Perimeter, deployment Internal, deployment Datacenter, performance_impact Low, confidence High, signature_severity Major, tag Exploit, updated_at 2024_12_06; target:dest_ip;)
- →HTTP response body for successful SQLi exploitation contains the strings 'START APPLICATION', 'category":', and 'codeStr":' with HTTP 200 status code. ↗
- →Shodan, FOFA, Censys, and Google dork queries can identify exposed Riello Netman 204 devices as attack targets: title:"netman 204", body:"netman204", intitle:"netman 204".
- →The SQLi payload uses comment-based bypass (/**/) and single-quote injection in the 'type' parameter: type=%25%27and/**/%271%27=%271 — look for URL-encoded single quotes (%27) in requests to the vulnerable CGI endpoints.
- →The Snort/ET rule triggers on GET requests where the URI starts with /cgi-bin/db_ followed by eventlog, datalog, or multimetr, then _w.cgi, and contains a single quote (literal or %27) in the type parameter value.
- →Exploitation requires no authentication (unauthenticated SQLi), so any source IP hitting these endpoints with SQLi patterns should be treated as malicious.
- ·The SQL injection only affects the SQLite database of measurement data — it does not impact the main device configuration database. ↗
- ·The ET Snort rule (sid:2058117) is scoped to plaintext traffic only (tls_state plaintext); encrypted HTTPS traffic to the device would not be detected by this rule.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.06.9MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck6.9MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-8g8m-p65c-g42p: Improper neutralization of special elements results in a SQL Injection vulnerability in Riello Netman 204
ghsa_unreviewed·2024-09-25
CVE-2024-8877 [MEDIUM] CWE-89 GHSA-8g8m-p65c-g42p: Improper neutralization of special elements results in a SQL Injection vulnerability in Riello Netman 204
Improper neutralization of special elements results in a SQL Injection vulnerability in Riello Netman 204. It is only limited to the SQLite database of measurement data.This issue affects Netman 204: through 4.05.
VulnCheck
riello-ups netman_204_firmware Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
vulncheck·2024·CVSS 6.9
CVE-2024-8877 [MEDIUM] riello-ups netman_204_firmware Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
riello-ups netman_204_firmware Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Improper neutralization of special elements results in a SQL Injection vulnerability in Riello Netman 204. It is only limited to the SQLite database of measurement data.This issue affects Netman 204: through 4.05.
Affected: riello-ups netman_204_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-10-15&host_type=src&vulnerability=cve-2024-8877; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-10-16&host_type=src&vulnerabi
Suricata
ET WEB_SPECIFIC_APPS Riello Netman 204 UPS SQL Injection Attempt (CVE-2024-8877)
suricata·2024-12-06·CVSS 6.9
CVE-2024-8877 [MEDIUM] ET WEB_SPECIFIC_APPS Riello Netman 204 UPS SQL Injection Attempt (CVE-2024-8877)
ET WEB_SPECIFIC_APPS Riello Netman 204 UPS SQL Injection Attempt (CVE-2024-8877)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Riello Netman 204 UPS SQL Injection Attempt (CVE-2024-8877)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi-bin/db_"; fast_pattern; startswith; pcre:"/^(?:eventlog|datalog|multimetr)/R"; content:"_w.cgi|3f|"; distance:0; content:"type|3d|"; distance:0; pcre:"/^[^\x26]*?(?:\x27|%27)/R"; reference:url,cyberdanube.com/security-research/multiple-vulnerabilities-in-riello-netman-204/; reference:cve,2024-8877; classtype:attempted-admin; sid:2058117; rev:1; metadata:affected_product Riello_UPS, attack_target Networking_Equipment, tls_state plaintext, created_at 2024_12_06, cve CVE_2024_8877, deployment Perimeter, d
Nuclei
Riello Netman 204 - SQL Injection
nuclei·CVSS 6.9
CVE-2024-8877 [MEDIUM] Riello Netman 204 - SQL Injection
Riello Netman 204 - SQL Injection
The three endpoints /cgi-bin/db_datalog_w.cgi, /cgi-bin/db_eventlog_w.cgi, and /cgi-bin/db_multimetr_w.cgi are vulnerable to SQL injection without prior authentication. This enables an attacker to modify the collected log data in an arbitrary way.
Template:
id: CVE-2024-8877
info:
name: Riello Netman 204 - SQL Injection
author: s4e-io
severity: critical
description: |
The three endpoints /cgi-bin/db_datalog_w.cgi, /cgi-bin/db_eventlog_w.cgi, and /cgi-bin/db_multimetr_w.cgi are vulnerable to SQL injection without prior authentication. This enables an attacker to modify the collected log data in an arbitrary way.
impact: |
Unauthenticated attackers can exploit SQL injection to modify collected log data, extract sensitive information, and potentially gain
No writeups or analysis indexed.
2024-09-25
Published
Exploited in the wild