CVE-2024-36622 – CVE-2024-36622 is a command injection vulnerabi... (How to Fix)

📋 TL;DR

CVE-2024-36622 is a command injection vulnerability in RaspAP raspap-webgui that allows attackers to execute arbitrary commands on the system by exploiting improper input sanitization in the clearlog.php script. This affects all users running RaspAP versions 3.0.9 and earlier. Successful exploitation could lead to complete system compromise.

💻 Affected Systems

Products:

RaspAP raspap-webgui

Versions: 3.0.9 and earlier

Operating Systems: Raspberry Pi OS, Debian-based Linux distributions

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all installations with the vulnerable clearlog.php script accessible via the web interface.

📦 What is this software?

Raspap Webgui by Raspap

View all CVEs affecting Raspap Webgui →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with root privileges, allowing installation of persistent backdoors, data theft, and use as a pivot point in the network.

🟠

Likely Case

Remote code execution leading to service disruption, unauthorized configuration changes, and credential harvesting.

🟢

If Mitigated

Limited impact if proper network segmentation and access controls prevent exploitation attempts.

🌐 Internet-Facing: HIGH - Web interface is typically exposed for management, making it directly accessible to attackers.

🏢 Internal Only: HIGH - Even internally, any user with network access to the interface could exploit this vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Proof of concept available in public references; exploitation requires network access to the web interface but no authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.1.0 and later

Vendor Advisory: https://github.com/RaspAP/raspap-webgui/commit/c98d2b0c15942b4829d31dec615b9b40cc6faa14

Restart Required: No

Instructions:

1. Update RaspAP to version 3.1.0 or later using: git pull origin master
2. Verify the clearlog.php file has been patched
3. No service restart required for web interface changes

🔧 Temporary Workarounds

Disable clearlog.php access

linux

Remove or restrict access to the vulnerable script

sudo rm /var/www/html/ajax/logging/clearlog.php
sudo chmod 000 /var/www/html/ajax/logging/clearlog.php

Network access restriction

linux

Restrict web interface access to trusted IPs only

sudo ufw allow from 192.168.1.0/24 to any port 80
sudo ufw allow from 192.168.1.0/24 to any port 443

🧯 If You Can't Patch

Disable the RaspAP web interface entirely and use alternative management methods
Implement strict network segmentation to isolate the vulnerable device from critical systems

🔍 How to Verify

Check if Vulnerable:

Check if clearlog.php exists and contains unsanitized $_GET['logfile'] parameter usage: grep -r "\$_GET\['logfile'\]" /var/www/html/ajax/logging/

Check Version:

cat /var/www/html/includes/config.php | grep 'RASPI_VERSION'

Verify Fix Applied:

Verify clearlog.php uses proper input validation: grep -r "escapeshellarg" /var/www/html/ajax/logging/clearlog.php

📡 Detection & Monitoring

Log Indicators:

Unusual commands in web server logs referencing clearlog.php with suspicious parameters
System logs showing unexpected process execution from www-data user

Network Indicators:

HTTP requests to /ajax/logging/clearlog.php with shell metacharacters in parameters
Outbound connections from Raspberry Pi to unexpected destinations

SIEM Query:

source="web_access.log" AND uri="/ajax/logging/clearlog.php" AND (param="logfile" AND value MATCHES "[;&|`$()]+")

📊 Metadata

CVE ID: CVE-2024-36622

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-94

Published: November 29, 2024

Last Updated: July 2, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-36622, you might also want to check these: