CVE-2024-48747
📋 TL;DR
This vulnerability in alist-tvbox v1.7.1 allows remote attackers to execute arbitrary commands on affected systems via the /atv-cli endpoint. This is a command injection vulnerability that affects all deployments running the vulnerable version of alist-tvbox software.
💻 Affected Systems
- alist-tvbox
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attacker to install malware, exfiltrate data, pivot to other systems, or establish persistent backdoor access.
Likely Case
Attacker gains shell access to the server, potentially accessing sensitive data, modifying configurations, or using the system for further attacks.
If Mitigated
If proper network segmentation and access controls are implemented, impact limited to the isolated system with no lateral movement.
🎯 Exploit Status
The vulnerability is documented with technical details in the referenced PDF, making exploitation straightforward for attackers.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: None available
Restart Required: Yes
Instructions:
1. Check for updated version from alist-tvbox repository. 2. If update available, backup configuration. 3. Stop alist-tvbox service. 4. Install updated version. 5. Restart service.
🔧 Temporary Workarounds
Block /atv-cli endpoint
allUse web server or firewall rules to block access to the vulnerable endpoint
# For nginx: location = /atv-cli { deny all; }
# For Apache: <Location /atv-cli> Require all denied </Location>
Network access restriction
linuxRestrict access to alist-tvbox to trusted IP addresses only
# iptables example: iptables -A INPUT -p tcp --dport [alist-port] -s [trusted-ip] -j ACCEPT
iptables -A INPUT -p tcp --dport [alist-port] -j DROP
🧯 If You Can't Patch
- Isolate the vulnerable system in a restricted network segment with no internet access
- Implement strict egress filtering to prevent command and control communication
🔍 How to Verify
Check if Vulnerable:
Check if alist-tvbox version is 1.7.1 and /atv-cli endpoint is accessibleCheck Version:
Check alist-tvbox configuration files or running process for version informationVerify Fix Applied:
Test if /atv-cli endpoint no longer accepts malicious input or is blocked📡 Detection & Monitoring
Log Indicators:
- Unusual commands in system logs
- Process execution from web user context
- Access to /atv-cli with suspicious parameters
Network Indicators:
- Outbound connections from alist-tvbox to unusual destinations
- Shell command patterns in HTTP requests to /atv-cli
SIEM Query:
source="web_logs" AND uri="/atv-cli" AND (command="*" OR cmd="*" OR shell="*")