CVE-2024-27488
📋 TL;DR
This vulnerability allows remote attackers to bypass authentication and gain unauthorized access to ZLMediaKit's HTTP API interface due to a hardcoded default secret. Attackers can escalate privileges and access sensitive information. All ZLMediaKit deployments using default configurations are affected.
💻 Affected Systems
- ZLMediaKit
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise: attackers gain administrative control, access all media streams, modify configurations, execute arbitrary commands, and potentially pivot to other systems.
Likely Case
Unauthorized access to media streams, configuration data theft, service disruption, and potential privilege escalation within the application.
If Mitigated
Limited impact with proper authentication controls; only authorized users can access API functions.
🎯 Exploit Status
Exploitation requires only knowledge of the hardcoded secret or ability to discover it through information disclosure.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 8.0.1 or later
Vendor Advisory: https://github.com/ZLMediaKit/ZLMediaKit/security/advisories
Restart Required: Yes
Instructions:
1. Update ZLMediaKit to version 8.0.1 or later. 2. Restart the ZLMediaKit service. 3. Change the default secret to a strong, unique value in configuration.
🔧 Temporary Workarounds
Disable HTTP API
allCompletely disable the vulnerable HTTP API interface if not required
Edit ZLMediaKit configuration file and set api.enable_http_api = false
Change Default Secret
allReplace hardcoded default secret with strong, unique value
Edit ZLMediaKit configuration file and set api.secret = "your_strong_random_secret_here"
🧯 If You Can't Patch
- Implement network segmentation to restrict access to ZLMediaKit API endpoints
- Deploy web application firewall (WAF) rules to block unauthorized API requests
🔍 How to Verify
Check if Vulnerable:
Check if ZLMediaKit version is between 1.0-8.0 and HTTP API is enabled with default secret configurationCheck Version:
Check ZLMediaKit logs or configuration for version informationVerify Fix Applied:
Verify ZLMediaKit version is 8.0.1+ and secret parameter has been changed from default value📡 Detection & Monitoring
Log Indicators:
- Unauthorized API access attempts
- Authentication failures with default secret
- Unusual API requests from unexpected sources
Network Indicators:
- HTTP requests to /index/api/* endpoints with default secret parameter
- Unusual traffic patterns to ZLMediaKit API
SIEM Query:
source="ZLMediaKit" AND (uri_path="/index/api/*" AND (secret="default_secret" OR auth_bypass_detected))