CVE-2024-10749 – This critical vulnerability in ThinkAdmin allow... (How to Fix)

Q: What is the severity of CVE-2024-10749?

CVE-2024-10749 has a CVSS score of 5.0 (MEDIUM). This critical vulnerability in ThinkAdmin allows remote attackers to execute arbitrary code through insecure deserialization in the Plugs.php file. It affects ThinkAdmin versions up to 6.1.67, potentially compromising entire systems if exploited successfully.

📋 TL;DR

This critical vulnerability in ThinkAdmin allows remote attackers to execute arbitrary code through insecure deserialization in the Plugs.php file. It affects ThinkAdmin versions up to 6.1.67, potentially compromising entire systems if exploited successfully.

💻 Affected Systems

Products:

ThinkAdmin

Versions: up to 6.1.67

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the /app/admin/controller/api/Plugs.php file specifically through the uptoken parameter.

📦 What is this software?

Thinkadmin by Thinkadmin

View all CVEs affecting Thinkadmin →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, and lateral movement within the network.

🟠

Likely Case

Unauthorized access to the ThinkAdmin application with potential for privilege escalation and data manipulation.

🟢

If Mitigated

Limited impact with proper network segmentation, input validation, and deserialization controls in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: HIGH

Exploit has been publicly disclosed and may be used, though complexity is high according to vulnerability description.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch available. Consider upgrading to version 6.1.68 or later if released, or apply workarounds.

🔧 Temporary Workarounds

Disable vulnerable endpoint

all

Block access to the vulnerable Plugs.php file to prevent exploitation

# Add to web server configuration (Apache example)
<Location "/app/admin/controller/api/Plugs.php">
    Deny from all
</Location>
# Nginx example
location /app/admin/controller/api/Plugs.php {
    deny all;
}

Input validation filter

all

Add validation to reject malicious uptoken parameter values

# In Plugs.php, add validation before deserialization
if (!preg_match('/^[a-zA-Z0-9\-_]+$/', $uptoken)) {
    die('Invalid token');
}

🧯 If You Can't Patch

Implement strict network segmentation to isolate ThinkAdmin instances
Deploy web application firewall with deserialization attack detection rules

🔍 How to Verify

Check if Vulnerable:

Check ThinkAdmin version and verify if Plugs.php file exists with vulnerable deserialization code

Check Version:

# Check ThinkAdmin version in configuration files or admin panel

Verify Fix Applied:

Verify Plugs.php has been modified with proper input validation or endpoint is blocked

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /app/admin/controller/api/Plugs.php
Deserialization errors in application logs
Suspicious PHP execution patterns

Network Indicators:

HTTP requests with crafted uptoken parameters
Traffic to Plugs.php endpoint from unexpected sources

SIEM Query:

source="web_logs" AND uri="/app/admin/controller/api/Plugs.php" AND (method="POST" OR params CONTAINS "uptoken")

📊 Metadata

CVE ID: CVE-2024-10749

CVSS v3 Score: 5.0 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-502

Published: November 4, 2024

Last Updated: November 6, 2024

🔗 References

https://github.com/pwysec/Xmwcq/blob/main/1.md Broken Link
https://vuldb.com/?ctiid.282918 Permissions Required,VDB Entry
https://vuldb.com/?id.282918 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.432436 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-10749, you might also want to check these: