CVE-2024-7448
📋 TL;DR
This CVE describes a command injection vulnerability in Magnet Forensics AXIOM's Android device image acquisition functionality. Network-adjacent attackers can execute arbitrary code on affected installations when users acquire data from malicious mobile devices. The vulnerability affects AXIOM users performing mobile device forensics.
💻 Affected Systems
- Magnet Forensics AXIOM
📦 What is this software?
Axiom by Magnetforensics
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining the same privileges as the AXIOM user, potentially leading to data theft, lateral movement, or ransomware deployment.
Likely Case
Local privilege escalation or execution of arbitrary commands within the AXIOM environment, potentially compromising forensic integrity and sensitive case data.
If Mitigated
Limited impact if proper network segmentation and least privilege principles are followed, with potential for isolated process compromise.
🎯 Exploit Status
Exploitation requires user interaction (acquiring data from malicious device) and network adjacency. ZDI-CAN-23964 identifier suggests coordinated disclosure.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor release notes for specific patched version
Vendor Advisory: https://docs.magnetforensics.com/docs/axiom/release_notes.html
Restart Required: Yes
Instructions:
1. Check current AXIOM version. 2. Visit Magnet Forensics release notes. 3. Download and install latest patched version. 4. Restart AXIOM services. 5. Verify patch installation.
🔧 Temporary Workarounds
Disable Android Acquisition
allTemporarily disable Android device image acquisition functionality until patched
No standard commands - configure via AXIOM interface
Network Segmentation
allIsolate AXIOM systems from general network and restrict to trusted devices only
Configure firewall rules to restrict AXIOM network access
🧯 If You Can't Patch
- Implement strict mobile device acquisition policies - only acquire from trusted, verified devices
- Run AXIOM in isolated VM or container with limited privileges and network access
🔍 How to Verify
Check if Vulnerable:
Check AXIOM version against vendor advisory; if using vulnerable version and performing Android acquisitions, assume vulnerableCheck Version:
Check within AXIOM interface: Help → About AXIOM or similar menuVerify Fix Applied:
Verify AXIOM version matches or exceeds patched version listed in vendor advisory📡 Detection & Monitoring
Log Indicators:
- Unusual process execution from AXIOM context
- Suspicious command strings in AXIOM logs
- Failed or abnormal Android acquisition attempts
Network Indicators:
- Unexpected outbound connections from AXIOM system
- Network traffic to unusual ports from AXIOM host
SIEM Query:
Process execution where parent_process contains 'axiom' AND command_line contains suspicious patterns (e.g., 'cmd.exe', 'powershell', 'bash -c')