Login Sign Up

CVE-2024-26135

8.3 HIGH
Authentication Bypass

📋 TL;DR

This CVE describes a cross-site websocket hijacking vulnerability in MeshCentral's control.ashx endpoint, which handles administrative actions. Attackers can exploit it by tricking users into clicking malicious links, allowing unauthorized administrative operations as the victim. All MeshCentral instances prior to version 1.1.21 are affected.

💻 Affected Systems

Products:
  • MeshCentral
Versions: All versions prior to 1.1.21
Operating Systems: All platforms running MeshCentral
Default Config Vulnerable: ⚠️ Yes
Notes: All default configurations are vulnerable; the control.ashx endpoint is essential for administrative functionality.

📦 What is this software?

Meshcentral by Meshcentral

View all CVEs affecting Meshcentral →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full administrative compromise of the MeshCentral server, allowing attacker to execute arbitrary commands, access all managed systems, and potentially pivot to internal networks.

🟠

Likely Case

Unauthorized administrative actions performed on the MeshCentral server, potentially compromising managed endpoints or stealing sensitive data.

🟢

If Mitigated

Limited impact if proper network segmentation and access controls prevent administrative actions from reaching critical systems.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires user interaction (clicking malicious link) and knowledge of the target MeshCentral instance URL.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.1.21

Vendor Advisory: https://github.com/Ylianst/MeshCentral/security/advisories/GHSA-cp68-qrhr-g9h8

Restart Required: Yes

Instructions:

1. Backup your MeshCentral configuration and data. 2. Update MeshCentral to version 1.1.21 or later using npm: 'npm install meshcentral@latest'. 3. Restart the MeshCentral service.

🔧 Temporary Workarounds

Restrict access to MeshCentral

all

Limit MeshCentral access to trusted networks only using firewall rules.

Implement CSRF protection headers

all

Add Content-Security-Policy headers to restrict websocket connections.

Add to web server config: Content-Security-Policy: connect-src 'self'

🧯 If You Can't Patch

  • Isolate MeshCentral server behind VPN or internal network only
  • Implement strict access controls and monitor for suspicious administrative actions

🔍 How to Verify

Check if Vulnerable:

Check MeshCentral version in web interface or via command: 'meshcentral --version'

Check Version:

meshcentral --version

Verify Fix Applied:

Confirm version is 1.1.21 or later and verify control.ashx endpoint now validates Origin headers

📡 Detection & Monitoring

Log Indicators:

  • Unauthorized websocket connections to control.ashx
  • Administrative actions from unexpected IP addresses

Network Indicators:

  • Cross-origin websocket requests to control.ashx endpoint
  • Websocket handshakes without proper Origin headers

SIEM Query:

source="meshcentral.log" AND "control.ashx" AND "WebSocket" AND NOT origin="https://your-meshcentral-domain.com"

📊 Metadata

CVE ID: CVE-2024-26135
CVSS v3 Score: 8.3 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
CWE: CWE-346
Published: February 20, 2024
Last Updated: January 16, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-26135, you might also want to check these:

CVE-2023-25366 9.8

This vulnerability in Siglent SDS oscilloscopes allows attackers to retrieve the web interface passw...

Same vulnerability type (CWE-346)
CVE-2024-8487 9.8

This CVE describes a Cross-Origin Resource Sharing (CORS) misconfiguration in modelscope/agentscope ...

Same vulnerability type (CWE-346)
CVE-2026-2790 9.8

This CVE describes a same-origin policy bypass vulnerability in Firefox's JAR (Java Archive) network...

Same vulnerability type (CWE-346)