CVE-2024-45171 – CVE-2024-45171 is an unrestricted file upload v... (How to Fix)

Q: What is the severity of CVE-2024-45171?

CVE-2024-45171 has a CVSS score of 8.8 (HIGH). CVE-2024-45171 is an unrestricted file upload vulnerability in za-internet C-MOR Video Surveillance 5.2401 that allows authenticated users to upload arbitrary files, including PHP webshells, by naming files with '.cbkf' in the filename. This enables remote code execution on affected systems. All installations running vulnerable versions are affected.

📋 TL;DR

CVE-2024-45171 is an unrestricted file upload vulnerability in za-internet C-MOR Video Surveillance 5.2401 that allows authenticated users to upload arbitrary files, including PHP webshells, by naming files with '.cbkf' in the filename. This enables remote code execution on affected systems. All installations running vulnerable versions are affected.

💻 Affected Systems

Products:

za-internet C-MOR Video Surveillance

Versions: Version 5.2401 (specific version mentioned in advisory)

Operating Systems: Linux-based C-MOR appliance

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated access, but low-privilege users can exploit due to broken access control.

📦 What is this software?

C Mor Video Surveillance by C Mor

View all CVEs affecting C Mor Video Surveillance →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise via webshell leading to data exfiltration, lateral movement, ransomware deployment, or persistent backdoor installation.

🟠

Likely Case

Attackers upload PHP webshells to gain remote code execution, steal surveillance footage, manipulate recordings, or use system as pivot point.

🟢

If Mitigated

With proper network segmentation and monitoring, impact limited to isolated surveillance system with no access to critical infrastructure.

🌐 Internet-Facing: HIGH - Web interface typically exposed for remote access, allowing authenticated attackers to exploit remotely.

🏢 Internal Only: HIGH - Even internal attackers with low-privilege accounts can exploit this vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation is straightforward - authenticated user uploads file with .cbkf in filename and accesses via predictable URL path.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown - check vendor for updates

Vendor Advisory: Not provided in references

Restart Required: No

Instructions:

1. Contact za-internet for patch information 2. Apply vendor-provided update 3. Verify file upload restrictions are properly implemented

🔧 Temporary Workarounds

Restrict file upload directory permissions

linux

Set strict permissions on /srv/www/backups directory to prevent PHP execution

chmod 755 /srv/www/backups
chown root:root /srv/www/backups
find /srv/www/backups -name '*.php' -delete

Web server configuration to block PHP execution

linux

Configure web server to deny execution of PHP files in backups directory

For Apache: Add 'php_flag engine off' to .htaccess in /backups directory
For Nginx: Add 'location ~ \.php$ { deny all; }' to backups location block

🧯 If You Can't Patch

Disable or restrict access to backup upload functionality for low-privilege users
Implement WAF rules to block file uploads with .cbkf.php patterns and monitor for suspicious upload attempts

🔍 How to Verify

Check if Vulnerable:

Check if running C-MOR 5.2401 and test if authenticated user can upload file with .cbkf.php extension via backup upload feature.

Check Version:

Check C-MOR web interface admin panel or system information page for version number.

Verify Fix Applied:

Attempt to upload test file with .cbkf.php extension - should be rejected or uploaded file should not be executable.

📡 Detection & Monitoring

Log Indicators:

File uploads to /backups/ directory with .cbkf in filename
HTTP requests to /backup/upload_*.php patterns
Unusual file creation in /srv/www/backups/

Network Indicators:

POST requests to backup upload endpoints with PHP file content
Subsequent GET requests to uploaded PHP files

SIEM Query:

source="web_logs" AND (uri_path="/backup/upload_*" AND method="POST") OR (uri_path="/backup/upload_*.php" AND method="GET")

📊 Metadata

CVE ID: CVE-2024-45171

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-434

Published: September 5, 2024

Last Updated: September 4, 2025

🔗 References

https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-026.txt Exploit,Vendor Advisory
https://www.syss.de/pentest-blog/mehrere-sicherheitsschwachstellen-in-videoueberwachungssoftware-c-mor-syss-2024-020-bis-030 Vendor Advisory
http://seclists.org/fulldisclosure/2024/Sep/19 Exploit,Mailing List,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-45171, you might also want to check these: