Login Sign Up

CVE-2024-48694

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This is a critical file upload vulnerability in OfficeWeb365 versions 8.6.1.0 and 7.18.23.0 that allows remote attackers to upload arbitrary files, leading to remote code execution. Attackers can exploit the pw/savedraw component without authentication to gain full control of affected systems. Organizations using these vulnerable versions are at immediate risk.

💻 Affected Systems

Products:
  • Xi'an Daxi Information technology OfficeWeb365
Versions: v8.6.1.0 and v7.18.23.0
Operating Systems: Windows (based on typical OfficeWeb365 deployment)
Default Config Vulnerable: ⚠️ Yes
Notes: The pw/savedraw component is vulnerable; any installation with this component accessible is affected.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:
  1. Review the CVE details at NVD
  2. Check vendor security advisories for your specific version
  3. Test if the vulnerability is exploitable in your environment
  4. Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining full administrative control, data exfiltration, ransomware deployment, and lateral movement within the network.

🟠

Likely Case

Remote code execution leading to web shell installation, data theft, and potential ransomware deployment on vulnerable systems.

🟢

If Mitigated

Attack blocked at perimeter with proper WAF/file upload filtering; limited to attempted exploitation logs.

🌐 Internet-Facing: HIGH - Exploit is unauthenticated and public PoC exists, making internet-facing systems immediate targets.
🏢 Internal Only: MEDIUM - Still vulnerable but requires internal network access; risk increases if internal systems are compromised.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Multiple public PoCs exist; exploitation requires minimal technical skill due to available scripts.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch available. Check vendor website for updates and consider upgrading to latest version if available.

🔧 Temporary Workarounds

Block pw/savedraw endpoint

all

Restrict access to the vulnerable component via web server configuration or firewall rules

# For Apache: RewriteRule ^/pw/savedraw.* - [F,L]
# For Nginx: location ~ ^/pw/savedraw { deny all; }
# For IIS: Add request filtering rule to block /pw/savedraw

Implement strict file upload filtering

all

Configure WAF or application firewall to block suspicious file uploads to the affected endpoint

# Example ModSecurity rule: SecRule REQUEST_URI "@contains /pw/savedraw" "id:1001,phase:1,deny"

🧯 If You Can't Patch

  • Isolate affected systems from internet and restrict network access to necessary services only
  • Implement strict file upload validation and monitoring on the pw/savedraw endpoint

🔍 How to Verify

Check if Vulnerable:

Check if OfficeWeb365 version is 8.6.1.0 or 7.18.23.0 and if /pw/savedraw endpoint is accessible

Check Version:

Check web interface or configuration files for version information

Verify Fix Applied:

Test if file upload to /pw/savedraw endpoint is blocked or properly validated

📡 Detection & Monitoring

Log Indicators:

  • POST requests to /pw/savedraw with file uploads
  • Unusual file creation in web directories
  • Execution of suspicious scripts from web-accessible locations

Network Indicators:

  • HTTP POST requests to /pw/savedraw with executable file extensions
  • Outbound connections from web server to suspicious IPs

SIEM Query:

source="web_logs" AND uri="/pw/savedraw" AND (method="POST" OR file_extension IN ("php", "asp", "aspx", "jsp", "war"))

📊 Metadata

CVE ID: CVE-2024-48694
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-94
Published: November 19, 2024
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-48694, you might also want to check these:

CVE-2025-62521 10.0

CVE-2025-62521 is a critical pre-authentication remote code execution vulnerability in ChurchCRM tha...

Same vulnerability type (CWE-94)
CVE-2026-26216 10.0

Crawl4AI versions before 0.8.0 contain an unauthenticated remote code execution vulnerability in the...

Same vulnerability type (CWE-94)
CVE-2021-22205 10.0

CVE-2021-22205 is a critical remote code execution vulnerability in GitLab CE/EE where improper vali...

Same vulnerability type (CWE-94)