CVE-2024-42733 – CVE-2024-42733 is a critical remote code execut... (How to Fix)

Q: What is the severity of CVE-2024-42733?

CVE-2024-42733 has a CVSS score of 9.8 (CRITICAL). CVE-2024-42733 is a critical remote code execution vulnerability in Docmosis Tornado document generation software. It allows attackers to execute arbitrary code by injecting malicious scripts through UNC path inputs. All users running Docmosis Tornado version 2.9.7 and earlier are affected.

📋 TL;DR

CVE-2024-42733 is a critical remote code execution vulnerability in Docmosis Tornado document generation software. It allows attackers to execute arbitrary code by injecting malicious scripts through UNC path inputs. All users running Docmosis Tornado version 2.9.7 and earlier are affected.

💻 Affected Systems

Products:

Docmosis Tornado

Versions: v2.9.7 and all earlier versions

Operating Systems: All operating systems where Docmosis Tornado runs

Default Config Vulnerable: ⚠️ Yes

Notes: Any deployment using UNC path functionality is vulnerable. The vulnerability affects the core document generation functionality.

📦 What is this software?

Tornado by Docmosis

View all CVEs affecting Tornado →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to execute arbitrary commands with the privileges of the Docmosis Tornado service, potentially leading to data theft, ransomware deployment, or lateral movement within the network.

🟠

Likely Case

Attackers gain initial foothold on the server hosting Docmosis Tornado, enabling further exploitation, data exfiltration, or deployment of malware.

🟢

If Mitigated

Attack is blocked at network perimeter or application firewall level, preventing exploitation attempts from reaching vulnerable systems.

🌐 Internet-Facing: HIGH - The vulnerability can be exploited remotely without authentication, making internet-facing instances immediate targets.

🏢 Internal Only: HIGH - Even internally accessible instances are at significant risk from insider threats or compromised internal systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Proof of concept code is publicly available, making exploitation straightforward for attackers with basic skills.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v2.9.8 or later

Vendor Advisory: https://github.com/Docmosis/tornado-docker/issues/14

Restart Required: Yes

Instructions:

1. Download the latest version of Docmosis Tornado (v2.9.8 or newer). 2. Stop the current Docmosis Tornado service. 3. Replace the existing installation with the updated version. 4. Restart the Docmosis Tornado service. 5. Verify the update was successful.

🔧 Temporary Workarounds

Network Segmentation

linux

Block inbound traffic to Docmosis Tornado instances from untrusted networks

iptables -A INPUT -p tcp --dport [Docmosis_PORT] -s [TRUSTED_NETWORK] -j ACCEPT
iptables -A INPUT -p tcp --dport [Docmosis_PORT] -j DROP

Input Validation

all

Implement strict input validation to reject UNC paths containing script content

🧯 If You Can't Patch

Isolate vulnerable systems in a dedicated network segment with strict access controls
Implement web application firewall rules to block UNC path injection patterns

🔍 How to Verify

Check if Vulnerable:

Check the Docmosis Tornado version. If it's 2.9.7 or earlier, the system is vulnerable.

Check Version:

Check the application version in the Docmosis Tornado web interface or configuration files

Verify Fix Applied:

Verify the installed version is 2.9.8 or later and test that UNC path inputs are properly sanitized.

📡 Detection & Monitoring

Log Indicators:

Unusual UNC path requests in application logs
Failed script execution attempts
Unexpected process creation from Docmosis Tornado service

Network Indicators:

Outbound connections from Docmosis server to unexpected destinations
Unusual traffic patterns to/from Docmosis ports

SIEM Query:

source="docmosis.log" AND (UNC OR "\\" OR script) AND (error OR failed OR exception)

📊 Metadata

CVE ID: CVE-2024-42733

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-94

EPSS Score: 1.88% exploit probability (82.8th percentile)

Published: March 7, 2025

Last Updated: June 23, 2025

🔗 References

https://github.com/Docmosis/tornado-docker/issues/14 Exploit
https://github.com/Marsman1996/pocs/blob/master/redox/CVE-2024-57492/README.md Not Applicable

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-42733, you might also want to check these: