CVE-2024-13129
📋 TL;DR
CVE-2024-13129 is a critical OS command injection vulnerability in Roxy-WI's action_service function that allows remote attackers to execute arbitrary commands on affected systems. This affects Roxy-WI versions up to 8.1.3, potentially compromising web interface servers and underlying infrastructure. Attackers can exploit this to gain unauthorized access and control over vulnerable installations.
💻 Affected Systems
- Roxy-WI
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to execute arbitrary commands with web server privileges, potentially leading to data theft, ransomware deployment, or lateral movement within the network.
Likely Case
Attackers gain shell access to the Roxy-WI server, allowing them to modify configurations, steal credentials, or use the server as a pivot point for further attacks.
If Mitigated
With proper network segmentation and least privilege, impact is limited to the Roxy-WI application server, though sensitive data on that server remains at risk.
🎯 Exploit Status
Exploit code is publicly available and requires no authentication, making this easily weaponizable by attackers.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 8.1.4
Vendor Advisory: https://github.com/roxy-wi/roxy-wi/releases/tag/v8.1.4
Restart Required: No
Instructions:
1. Backup current configuration. 2. Stop Roxy-WI service. 3. Update to version 8.1.4 via package manager or manual installation. 4. Restart Roxy-WI service. 5. Verify functionality.
🔧 Temporary Workarounds
Network Access Restriction
LinuxRestrict network access to Roxy-WI web interface to trusted IP addresses only
iptables -A INPUT -p tcp --dport [ROXY-WI-PORT] -s [TRUSTED-IP] -j ACCEPT
iptables -A INPUT -p tcp --dport [ROXY-WI-PORT] -j DROP
🧯 If You Can't Patch
- Immediately restrict network access to Roxy-WI interface using firewall rules
- Monitor logs for suspicious command execution patterns and implement WAF rules to block injection attempts
🔍 How to Verify
Check if Vulnerable:
Check Roxy-WI version: grep 'version' /path/to/roxy-wi/config or check web interface footerCheck Version:
grep -r 'version' /opt/roxy-wi/ 2>/dev/null || echo 'Check web interface'Verify Fix Applied:
Verify version is 8.1.4 or higher and test that action_service parameter inputs are properly sanitized📡 Detection & Monitoring
Log Indicators:
- Unusual command execution in Roxy-WI logs
- Multiple failed login attempts followed by successful access
- Suspicious system commands in web server logs
Network Indicators:
- Unusual outbound connections from Roxy-WI server
- Traffic to known malicious IPs
- Unexpected port scans originating from Roxy-WI server
SIEM Query:
source="roxy-wi.log" AND ("os.system" OR "subprocess" OR "exec" OR suspicious command patterns)🔗 References
- https://github.com/0xs1ash/Exploits/tree/main/CVE-EXPLOIT
- https://github.com/roxy-wi/roxy-wi/pull/410
- https://github.com/roxy-wi/roxy-wi/pull/410#issuecomment-2561289700
- https://github.com/roxy-wi/roxy-wi/pull/410/commits/32313928eb9ce906887b8a30bf7b9a3d5c0de1be
- https://github.com/roxy-wi/roxy-wi/releases/tag/v8.1.4
- https://vuldb.com/?ctiid.290149
- https://vuldb.com/?id.290149
- https://vuldb.com/?submit.468530
