CVE-2026-24138
📋 TL;DR
CVE-2026-24138 is an unauthenticated Server-Side Request Forgery (SSRF) vulnerability in FOG Project's getversion.php. Attackers can exploit this by sending specially crafted requests with a user-controlled URL parameter to access internal websites and files on the FOG server. All FOG Project installations running version 1.5.10.1754 or below are affected.
💻 Affected Systems
- FOG Project
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the FOG server through internal service enumeration, credential harvesting from metadata services, and potential lateral movement to other internal systems.
Likely Case
Information disclosure of internal network resources, file system access, and potential credential theft from internal services.
If Mitigated
Limited to port scanning and basic reconnaissance of internal services if proper network segmentation and access controls are implemented.
🎯 Exploit Status
Exploitation requires sending HTTP requests with the newService=1 parameter and a malicious URL. The advisory includes technical details that facilitate exploitation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not available
Vendor Advisory: https://github.com/FOGProject/fogproject/security/advisories/GHSA-79xw-c2qx-g7xj
Restart Required: No
Instructions:
No official patch is available. Monitor the FOG Project GitHub repository for updates and apply any future patches immediately.
🔧 Temporary Workarounds
Restrict access to getversion.php
linuxBlock or restrict access to the vulnerable getversion.php file using web server configuration or firewall rules.
# Apache: Add to .htaccess or virtual host config
<Files "getversion.php">
Order deny,allow
Deny from all
</Files>
# Nginx: Add to server block
location ~ /getversion\.php$ {
deny all;
return 403;
}
Network segmentation
allIsolate the FOG server from other internal systems to limit the impact of SSRF exploitation.
🧯 If You Can't Patch
- Implement strict network access controls to limit the FOG server's outbound connections to only necessary services.
- Deploy a web application firewall (WAF) with SSRF protection rules to block malicious requests to getversion.php.
🔍 How to Verify
Check if Vulnerable:
Test by sending a request to http://<fog-server>/fog/management/getversion.php?newService=1&url=http://localhost. If it returns internal information, the system is vulnerable.Check Version:
Check the FOG web interface dashboard or run: cat /var/www/html/fog/lib/fog/config.class.php | grep FOG_VERSIONVerify Fix Applied:
After applying workarounds, the same test request should return an error or be blocked entirely.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to getversion.php with url parameter containing internal IP addresses or domains
- Unusual outbound connections from the FOG server to internal services
Network Indicators:
- HTTP traffic to getversion.php with newService=1 parameter
- Outbound connections from FOG server to unexpected internal services
SIEM Query:
source="fog-access.log" AND uri="/fog/management/getversion.php" AND query_string="*url=*"