CVE-2024-55513
📋 TL;DR
This vulnerability allows attackers to upload arbitrary files to Raisecom network devices via the /upload_netaction.php web interface endpoint. By crafting specific form names, attackers can bypass upload restrictions and potentially gain unauthorized access with server permissions. All organizations using affected Raisecom MSG series devices with vulnerable firmware are at risk.
💻 Affected Systems
- Raisecom MSG1200
- Raisecom MSG2100E
- Raisecom MSG2200
- Raisecom MSG2300
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the network device leading to persistent backdoor installation, credential theft, lateral movement within the network, and potential disruption of network services.
Likely Case
Unauthorized file upload leading to web shell deployment, limited command execution, and potential data exfiltration from the affected device.
If Mitigated
Limited impact with proper network segmentation and access controls preventing external exploitation, though internal threats remain possible.
🎯 Exploit Status
The referenced GitHub gist contains proof-of-concept details. The vulnerability requires no authentication and has simple exploitation steps.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: Not available
Restart Required: No
Instructions:
Check with Raisecom for firmware updates. If available, download the latest firmware, backup configuration, upload new firmware via web interface or CLI, and verify the update.
🔧 Temporary Workarounds
Disable Web Interface
allDisable the web management interface if not required for operations
Configure via CLI: no web-management enable
Restrict Network Access
allImplement network access controls to limit access to the web interface
Configure ACLs: access-list 100 deny tcp any any eq 80
access-list 100 deny tcp any any eq 443
access-list 100 permit ip any any
🧯 If You Can't Patch
- Implement strict network segmentation to isolate affected devices from untrusted networks
- Deploy web application firewall (WAF) rules to block requests to /upload_netaction.php with suspicious parameters
🔍 How to Verify
Check if Vulnerable:
Check device firmware version via CLI: show version. If version is 3.90 on affected models, device is vulnerable.Check Version:
show versionVerify Fix Applied:
After applying any mitigation, attempt to access /upload_netaction.php with crafted form names. Successful upload should be blocked.📡 Detection & Monitoring
Log Indicators:
- HTTP POST requests to /upload_netaction.php
- File upload attempts with unusual form names
- Unauthorized file creation in web directories
Network Indicators:
- Unusual outbound connections from network devices
- HTTP traffic to device management interfaces from unexpected sources
SIEM Query:
source="network_device" AND (url="/upload_netaction.php" OR method="POST") AND (form_data CONTAINS "filename" OR user_agent="curl" OR user_agent="wget")