Cyber Posture

CVE-2024-27708

CriticalPublic PoC

Published: 22 December 2025

Published
22 December 2025
Modified
02 January 2026
KEV Added
Patch
CVSS Score 9.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.0032 55.1th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-27708 is a critical-severity Injection (CWE-74) vulnerability in Airc Mynet. Its CVSS base score is 9.6 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 44.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly mitigates CVE-2024-27708 by requiring identification, reporting, and correction of the specific iframe injection flaw in MyNET v.26.06 and earlier.

SI-10 Information Input Validation good match
prevent

Enforces validation of the src parameter input to block malicious iframe injections leading to arbitrary code execution.

SI-15 Information Output Filtering good match
prevent

Filters output of the src parameter in iframe elements to prevent injection of arbitrary code by remote attackers.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

Iframe injection vulnerability in public-facing web application allows remote unauthenticated attacker with user interaction to achieve arbitrary code execution, directly mapping to exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Iframe injection vulnerability in airc.pt/solucoes-servicos.solucoes MyNET v.26.06 and before allows a remote attacker to execute arbitrary code via the src parameter.

Deeper analysisAI

CVE-2024-27708 is an iframe injection vulnerability in airc.pt/solucoes-servicos.solucoes MyNET versions 26.06 and earlier. The flaw allows a remote attacker to execute arbitrary code by manipulating the src parameter, as associated with CWEs-74 and CWE-75. Published on 2025-12-22, it carries a CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H).

A remote attacker requires no privileges and can exploit the vulnerability over the network with low attack complexity, though user interaction is necessary. Successful exploitation changes the scope and enables high-impact effects on confidentiality, integrity, and availability, culminating in arbitrary code execution on the targeted system.

Mitigation details are available in related advisories, including https://github.com/esquim0/Common_Vulnerabilities_and_Exposures_CVE/blob/main/2024/MyNet.md and the vendor site at https://www.airc.pt/solucoes-servicos/solucoes?segment=MYN.

Details

CWE(s)
CWE-74CWE-75

Affected Products

airc
mynet
≤ 26.06

CVEs Like This One

CVE-2026-2019Shared CWE-74
CVE-2026-31908Shared CWE-75
CVE-2026-32695Shared CWE-74
CVE-2025-20337Shared CWE-74
CVE-2026-26002Shared CWE-74
CVE-2026-27727Shared CWE-74
CVE-2026-27194Shared CWE-74
CVE-2025-64428Shared CWE-74
CVE-2026-25814Shared CWE-74
CVE-2024-39604Shared CWE-74

References