CVE-2024-46080
📋 TL;DR
Scriptcase v9.10.023 and earlier contains a vulnerability in the nm_zip function that allows remote attackers to execute arbitrary code on affected systems. This affects all organizations using vulnerable Scriptcase versions for web application development. Attackers can compromise the entire server through this RCE vulnerability.
💻 Affected Systems
- Scriptcase
📦 What is this software?
Scriptcase by Scriptcase
⚠️ Risk & Real-World Impact
Worst Case
Complete server takeover leading to data theft, ransomware deployment, lateral movement to other systems, and persistent backdoor installation.
Likely Case
Webshell deployment, credential harvesting, data exfiltration, and use as pivot point for further attacks.
If Mitigated
Limited impact if proper network segmentation, WAF rules, and least privilege principles are implemented.
🎯 Exploit Status
The vulnerability is publicly documented with technical details, making exploitation straightforward for attackers.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v9.10.024 or later
Vendor Advisory: https://blog.hawktesters.com/zero-day-alert-scriptcase-vulnerabilities-rce/
Restart Required: Yes
Instructions:
1. Backup your Scriptcase installation and databases. 2. Download the latest version from the official Scriptcase website. 3. Follow the Scriptcase upgrade documentation to apply the update. 4. Restart the web server and verify functionality.
🔧 Temporary Workarounds
Disable nm_zip function
allTemporarily disable the vulnerable nm_zip function if immediate patching isn't possible
Modify Scriptcase configuration to remove or restrict nm_zip function access
WAF Rule Implementation
allAdd web application firewall rules to block nm_zip function exploitation attempts
Add WAF rule to block requests containing suspicious nm_zip parameters
🧯 If You Can't Patch
- Isolate Scriptcase servers from internet access and restrict to internal network only
- Implement strict network segmentation and monitor all traffic to/from Scriptcase servers
🔍 How to Verify
Check if Vulnerable:
Check Scriptcase version in administration panel or by examining installation filesCheck Version:
Check Scriptcase admin panel or look for version information in installation directoryVerify Fix Applied:
Verify version is v9.10.024 or later and test nm_zip function with safe parameters📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to nm_zip endpoints
- System command execution in web server logs
- Unexpected process creation from web server user
Network Indicators:
- Outbound connections from web server to suspicious IPs
- Unusual data exfiltration patterns
- Command and control traffic from Scriptcase server
SIEM Query:
source="web_server" AND (uri="*nm_zip*" OR cmd="*system*" OR cmd="*exec*")