CVE-2024-54756
📋 TL;DR
This CVE describes a critical remote code execution vulnerability in GZDoom v4.13.1. Attackers can exploit it by tricking users into opening a malicious PK3 file containing specially crafted ZScript code, allowing arbitrary command execution on the victim's system. This affects all users running the vulnerable version of GZDoom.
💻 Affected Systems
- GZDoom
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining full control over the victim's machine, potentially leading to data theft, ransomware deployment, or lateral movement within networks.
Likely Case
Local privilege escalation or malware installation on the user's system when opening malicious game mods or content from untrusted sources.
If Mitigated
Limited impact if users only open trusted PK3 files from verified sources and have proper endpoint protection.
🎯 Exploit Status
Proof-of-concept code is publicly available. Exploitation requires user interaction to open malicious PK3 files.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v4.13.2 or later
Vendor Advisory: https://github.com/coelckers/gzdoom/releases
Restart Required: Yes
Instructions:
1. Download latest GZDoom version from official GitHub releases. 2. Replace existing installation with updated version. 3. Restart system to ensure clean state.
🔧 Temporary Workarounds
Disable ZScript Loading
allPrevent GZDoom from loading ZScript files which mitigates the vulnerability
Set 'zscript' to 0 in gzdoom.ini configuration file
Restrict PK3 File Sources
allOnly load PK3 files from trusted, verified sources
🧯 If You Can't Patch
- Discontinue use of GZDoom until patched version is available
- Implement application whitelisting to prevent execution of GZDoom
🔍 How to Verify
Check if Vulnerable:
Check GZDoom version via Help → About menu or command 'gzdoom --version'Check Version:
gzdoom --versionVerify Fix Applied:
Verify version is 4.13.2 or higher and test loading known safe PK3 files📡 Detection & Monitoring
Log Indicators:
- Unusual process creation from GZDoom executable
- Failed ZScript compilation attempts
- Loading of PK3 files from unusual locations
Network Indicators:
- Downloads of PK3 files from untrusted sources
- Outbound connections from GZDoom process to suspicious IPs
SIEM Query:
Process Creation where Parent Process contains 'gzdoom' AND Command Line contains unusual parameters