CVE-2024-55515
📋 TL;DR
This vulnerability allows unauthenticated attackers to upload arbitrary files to Raisecom network devices via the web interface. Attackers can exploit this to achieve remote code execution, compromise device integrity, or use devices as attack pivots. All organizations using affected Raisecom MSG series devices with vulnerable firmware are at risk.
💻 Affected Systems
- Raisecom MSG1200
- Raisecom MSG2100E
- Raisecom MSG2200
- Raisecom MSG2300
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete device takeover leading to network compromise, data exfiltration, ransomware deployment, or use as pivot point for lateral movement.
Likely Case
Malicious file upload leading to webshell installation, credential theft, or device configuration manipulation.
If Mitigated
Limited impact if network segmentation isolates devices and file uploads are monitored/blocked.
🎯 Exploit Status
Public proof-of-concept demonstrates file upload via crafted form name. Simple HTTP POST request with malicious file payload.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: Not available
Restart Required: No
Instructions:
Check vendor website for security updates. No official patch information available at time of analysis.
🔧 Temporary Workarounds
Disable web interface
allDisable HTTP/HTTPS management interface if not required
Configure via CLI: no ip http server
no ip http secure-server
Network access control
allRestrict access to device management interfaces
Configure ACL: access-list 100 deny tcp any any eq 80
access-list 100 deny tcp any any eq 443
access-list 100 permit ip any any
🧯 If You Can't Patch
- Isolate affected devices in separate VLAN with strict firewall rules
- Implement WAF or reverse proxy to filter malicious upload requests
🔍 How to Verify
Check if Vulnerable:
Check firmware version via CLI: show version | include Version. If version is 3.90, device is vulnerable.Check Version:
show version | include VersionVerify Fix Applied:
Test file upload functionality by attempting to upload a test file to /upload_ipslib.php. Successful upload indicates vulnerability.📡 Detection & Monitoring
Log Indicators:
- HTTP POST requests to /upload_ipslib.php
- Unusual file upload activity in web server logs
- Multiple failed upload attempts
Network Indicators:
- HTTP traffic to device management IP on port 80/443 with POST to vulnerable endpoint
- Unusual outbound connections from device after exploitation
SIEM Query:
source="device_logs" AND (url="/upload_ipslib.php" OR method="POST" AND uri CONTAINS "upload")