CVE-2024-46479 – Venki Supravizio BPM through version 18.0.1 con... (How to Fix)

Q: What is the severity of CVE-2024-46479?

CVE-2024-46479 has a CVSS score of 9.9 (CRITICAL). Venki Supravizio BPM through version 18.0.1 contains an arbitrary file upload vulnerability that allows authenticated attackers to upload malicious files. This can lead to remote code execution on affected systems. Organizations using vulnerable versions of this business process management software are at risk.

📋 TL;DR

Venki Supravizio BPM through version 18.0.1 contains an arbitrary file upload vulnerability that allows authenticated attackers to upload malicious files. This can lead to remote code execution on affected systems. Organizations using vulnerable versions of this business process management software are at risk.

💻 Affected Systems

Products:

Venki Supravizio BPM

Versions: through 18.0.1

Operating Systems: All supported platforms

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated access to exploit. All deployments with vulnerable versions are affected regardless of configuration.

📦 What is this software?

Supravizio Bpm by Venki

View all CVEs affecting Supravizio Bpm →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining full control over the server, data exfiltration, lateral movement, and persistent backdoor installation.

🟠

Likely Case

Attacker uploads web shell or malicious payload to execute arbitrary commands, potentially leading to data theft, service disruption, or ransomware deployment.

🟢

If Mitigated

Limited impact with proper file upload restrictions, input validation, and network segmentation preventing successful exploitation.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but is straightforward once credentials are obtained. Public proof-of-concept exists in GitHub repository.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.venki.com.br/ferramenta-bpm/supravizio/

Restart Required: No

Instructions:

1. Contact Venki support for patch information 2. Apply any available security updates 3. Verify the fix by testing file upload functionality

🔧 Temporary Workarounds

Restrict File Upload Types

all

Configure the application to only allow specific safe file extensions and implement server-side validation

Implement Web Application Firewall Rules

all

Deploy WAF rules to block malicious file upload attempts and suspicious HTTP requests

🧯 If You Can't Patch

Isolate the Supravizio BPM server in a restricted network segment with minimal access
Implement strict access controls and multi-factor authentication for all user accounts

🔍 How to Verify

Check if Vulnerable:

Check if Supravizio BPM version is 18.0.1 or earlier. Test file upload functionality with restricted file types.

Check Version:

Check application version in admin interface or configuration files

Verify Fix Applied:

Attempt to upload files with dangerous extensions (.jsp, .php, .exe) and verify they are rejected with proper validation.

📡 Detection & Monitoring

Log Indicators:

Unusual file uploads with suspicious extensions
Multiple failed upload attempts
Successful uploads of executable files

Network Indicators:

HTTP POST requests to upload endpoints with unusual file types
Traffic to unexpected ports after upload

SIEM Query:

source="supravizio" AND (file_upload="*.jsp" OR file_upload="*.php" OR file_upload="*.exe")

📊 Metadata

CVE ID: CVE-2024-46479

CVSS v3 Score: 9.9 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-434

EPSS Score: 0.88% exploit probability (74.9th percentile)

Published: January 13, 2025

Last Updated: October 7, 2025

🔗 References

https://github.com/Lorenzo-de-Sa/Vulnerability-Research Third Party Advisory
https://github.com/Lorenzo-de-Sa/Vulnerability-Research/blob/main/CVE-2024-46479.md Third Party Advisory
https://www.venki.com.br/ferramenta-bpm/supravizio/ Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-46479, you might also want to check these: