cbcvebase.
CVE-2024-9054
published 2024-10-04

CVE-2024-9054: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'), Exposure of Sensitive Information to an Unauthorized Actor…

PriorityP273high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
14.61%
96.2th percentile
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'), Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Microchip TimeProvider 4100 (Configuration modules) allows Command Injection.This issue affects TimeProvider 4100: from 1.0 before 2.4.7.

Affected

2 ranges
VendorProductVersion rangeFixed in
microchiptimeprovider_4100>= 1.0 < 2.4.72.4.7
microchiptimeprovider_4100_firmware>= 1.0 < 2.4.72.4.7

Detection & IOCsextracted from sources · hover to see the quote

url/config_restore
url/configbackuprestore
cookieci_session=[session cookie]
filenametp4100_cfg.txt
command`ping 192.168.1.20`
  • Monitor HTTP POST requests to the /config_restore endpoint on TimeProvider 4100 management interfaces. Malicious config uploads will use multipart/form-data with a file field named 'file' and a plaintext password field named 'pword'.
  • Inspect uploaded configuration files (tp4100_cfg.txt) for backtick-wrapped OS commands or shell metacharacters inside the <secret_key> XML tag, which is the injection point.
  • Alert on any login attempt via SSH, Telnet, or Console to a TimeProvider 4100 device shortly after a configuration restore — login is the trigger that executes the injected payload.
  • The exploit transmits the web account password in cleartext as a multipart form field named 'pword' in the restore request; detect credential exposure by inspecting this field in HTTP traffic.
  • Flag TimeProvider 4100 devices running firmware versions 1.0 through 2.4.6 (before 2.4.7) as vulnerable; version 2.3.12 was confirmed exploitable in testing.
  • ·Exploitation requires prior authenticated access to the device's management web interface to download and re-upload the configuration file; unauthenticated exploitation is not directly possible.
  • ·The payload is not executed at upload time; it is deferred until the next login attempt via SSH, Telnet, or Console, meaning there is a window between upload and execution that may complicate real-time detection.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.5HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:C/RE:M/U:Amber
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.