CVE-2024-23749 – CVE-2024-23749 is a command injection vulnerabi... (How to Fix)

Q: What is the severity of CVE-2024-23749?

CVE-2024-23749 has a CVSS score of 7.8 (HIGH). CVE-2024-23749 is a command injection vulnerability in KiTTY that allows attackers to execute arbitrary code by manipulating filename inputs. This affects KiTTY versions 0.76.1.13 and earlier. Users who process untrusted files or inputs with vulnerable KiTTY versions are at risk.

📋 TL;DR

CVE-2024-23749 is a command injection vulnerability in KiTTY that allows attackers to execute arbitrary code by manipulating filename inputs. This affects KiTTY versions 0.76.1.13 and earlier. Users who process untrusted files or inputs with vulnerable KiTTY versions are at risk.

💻 Affected Systems

Products:

KiTTY

Versions: 0.76.1.13 and earlier

Operating Systems: Windows, Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in the filename handling functionality at lines 2369-2390 of the source code.

📦 What is this software?

Kitty by 9bis

View all CVEs affecting Kitty →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining complete control over the affected system, potentially leading to data theft, ransomware deployment, or lateral movement within the network.

🟠

Likely Case

Local privilege escalation or execution of malicious commands in the context of the KiTTY user, potentially leading to credential theft, data exfiltration, or persistence mechanisms.

🟢

If Mitigated

Limited impact with proper input validation and execution restrictions in place, potentially resulting in failed exploitation attempts or contained damage.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires the attacker to control filename inputs, which could occur through malicious file uploads, crafted downloads, or user interaction with untrusted content.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.76.1.14 or later

Vendor Advisory: https://www.9bis.net/kitty/

Restart Required: Yes

Instructions:

1. Download latest KiTTY version from official website. 2. Uninstall vulnerable version. 3. Install patched version. 4. Restart system if KiTTY was running.

🔧 Temporary Workarounds

Input Validation Enhancement

all

Implement strict filename validation to reject special characters and command injection attempts

Not applicable - requires code modification

Execution Restriction

all

Run KiTTY with minimal privileges and in restricted environments

On Linux: chmod 755 kitty && setfacl -m u:kittyuser:rx kitty
On Windows: Configure AppLocker or similar restrictions

🧯 If You Can't Patch

Disable or restrict KiTTY usage in environments processing untrusted files
Implement network segmentation to isolate KiTTY instances from critical systems

🔍 How to Verify

Check if Vulnerable:

Check KiTTY version in Help > About menu or run 'kitty --version' in terminal

Check Version:

kitty --version

Verify Fix Applied:

Confirm version is 0.76.1.14 or later and test with known malicious filename patterns

📡 Detection & Monitoring

Log Indicators:

Unusual process spawns from KiTTY
Suspicious command execution patterns
Filename parameters containing shell metacharacters

Network Indicators:

Unexpected outbound connections from KiTTY processes
Command and control traffic patterns

SIEM Query:

process_name:"kitty.exe" AND (command_line:"*;*" OR command_line:"*&*" OR command_line:"*|*" OR command_line:"*`*" OR command_line:"*$(*")

📊 Metadata

CVE ID: CVE-2024-23749

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-77

Published: February 9, 2024

Last Updated: May 15, 2025

🔗 References

http://packetstormsecurity.com/files/177031/KiTTY-0.76.1.13-Command-Injection.html Exploit,Third Party Advisory,VDB Entry
http://seclists.org/fulldisclosure/2024/Feb/13 Exploit,Mailing List,Third Party Advisory
http://seclists.org/fulldisclosure/2024/Feb/14 Exploit,Mailing List,Third Party Advisory
https://blog.defcesco.io/CVE-2024-23749 Exploit,Third Party Advisory
http://packetstormsecurity.com/files/177031/KiTTY-0.76.1.13-Command-Injection.html Exploit,Third Party Advisory,VDB Entry
http://seclists.org/fulldisclosure/2024/Feb/13 Exploit,Mailing List,Third Party Advisory
http://seclists.org/fulldisclosure/2024/Feb/14 Exploit,Mailing List,Third Party Advisory
https://blog.defcesco.io/CVE-2024-23749 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-23749, you might also want to check these: