CVE-2024-1659 – CVE-2024-1659 is an unauthenticated arbitrary f... (How to Fix)

Q: What is the severity of CVE-2024-1659?

CVE-2024-1659 has a CVSS score of 9.8 (CRITICAL). CVE-2024-1659 is an unauthenticated arbitrary file upload vulnerability in MegaBIP software that allows attackers to upload malicious files (including PHP web shells) directly to the server. This affects all MegaBIP versions through 5.10, potentially compromising the entire web server.

📋 TL;DR

CVE-2024-1659 is an unauthenticated arbitrary file upload vulnerability in MegaBIP software that allows attackers to upload malicious files (including PHP web shells) directly to the server. This affects all MegaBIP versions through 5.10, potentially compromising the entire web server.

💻 Affected Systems

Products:

MegaBIP (Biuletyn Informacji Publicznej software)

Versions: All versions through 5.10

Operating Systems: Any OS running MegaBIP (typically Windows Server with IIS)

Default Config Vulnerable: ⚠️ Yes

Notes: Affects default installations; no special configuration required for exploitation

📦 What is this software?

Megabip by Megabip

View all CVEs affecting Megabip →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server takeover via web shell leading to data theft, ransomware deployment, or use as attack launchpad

🟠

Likely Case

Web shell installation enabling persistent backdoor access, data exfiltration, and lateral movement

🟢

If Mitigated

Limited impact if file uploads are blocked at WAF/IPS layer and proper file validation is implemented

🌐 Internet-Facing: HIGH - Unauthenticated exploit allows direct internet-based attacks without credentials

🏢 Internal Only: MEDIUM - Still dangerous but requires internal network access; could be exploited via phishing or compromised internal systems

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple HTTP POST request with malicious file; trivial to automate and weaponize

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 5.11 or later

Vendor Advisory: https://megabip.pl/

Restart Required: Yes

Instructions:

1. Download MegaBIP version 5.11+ from official vendor site 2. Backup current installation 3. Install update following vendor instructions 4. Restart IIS/web server 5. Verify file upload functionality is properly restricted

🔧 Temporary Workarounds

Web Application Firewall (WAF) Rules

all

Block file uploads to vulnerable endpoints and filter for PHP/executable file extensions

IIS Request Filtering

windows

Configure IIS to block uploads of dangerous file types

<system.webServer><security><requestFiltering><fileExtensions><add fileExtension=".php" allowed="false" />

🧯 If You Can't Patch

Implement strict file upload validation: only allow specific whitelisted file types and extensions
Move MegaBIP behind authentication gateway requiring valid credentials before accessing upload functionality

🔍 How to Verify

Check if Vulnerable:

Attempt to upload a test file (e.g., test.php) to MegaBIP upload endpoint without authentication; if successful, system is vulnerable

Check Version:

Check MegaBIP admin panel or web.config for version information; typically displays in footer or about page

Verify Fix Applied:

Attempt same upload test; should receive authentication requirement or file type rejection

📡 Detection & Monitoring

Log Indicators:

Unusual file uploads to MegaBIP directories
POST requests to upload endpoints from unauthenticated sources
.php/.asp/.aspx files appearing in upload directories

Network Indicators:

HTTP POST requests with file uploads to MegaBIP paths from external IPs
Subsequent requests to uploaded executable files

SIEM Query:

source="web_logs" AND (uri_path="*upload*" OR uri_path="*MegaBIP*") AND (http_method="POST" AND (file_extension=".php" OR file_extension=".asp" OR file_extension=".aspx"))

📊 Metadata

CVE ID: CVE-2024-1659

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-434

Published: June 12, 2024

Last Updated: November 21, 2024

🔗 References

https://cert.pl/en/posts/2024/06/CVE-2024-1576/ Third Party Advisory
https://cert.pl/posts/2024/06/CVE-2024-1576/ Third Party Advisory
https://megabip.pl/ Product
https://www.gov.pl/web/cyfryzacja/rekomendacja-pelnomocnika-rzadu-ds-cyberbezpieczenstwa-dotyczaca-biuletynow-informacji-publicznej Press/Media Coverage
https://cert.pl/en/posts/2024/06/CVE-2024-1576/ Third Party Advisory
https://cert.pl/posts/2024/06/CVE-2024-1576/ Third Party Advisory
https://megabip.pl/ Product
https://www.gov.pl/web/cyfryzacja/rekomendacja-pelnomocnika-rzadu-ds-cyberbezpieczenstwa-dotyczaca-biuletynow-informacji-publicznej Press/Media Coverage

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-1659, you might also want to check these: