CVE-2024-27708
Published: 22 December 2025
Summary
CVE-2024-27708 is a critical-severity Injection (CWE-74) vulnerability in Airc Mynet. Its CVSS base score is 9.6 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 39.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2024-27708 is an iframe injection vulnerability in airc.pt/solucoes-servicos.solucoes MyNET versions 26.06 and earlier. The flaw allows a remote attacker to execute arbitrary code by manipulating the src parameter, as associated with CWEs-74 and CWE-75. Published on 2025-12-22, it carries a CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H).
A remote attacker requires no privileges and can exploit the vulnerability over the network with low attack complexity, though user interaction is necessary. Successful exploitation changes the scope and enables high-impact effects on confidentiality, integrity, and availability, culminating in arbitrary code execution on the targeted system.
Mitigation details are available in related advisories, including https://github.com/esquim0/Common_Vulnerabilities_and_Exposures_CVE/blob/main/2024/MyNet.md and the vendor site at https://www.airc.pt/solucoes-servicos/solucoes?segment=MYN.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-24902
Vulnerability details
Iframe injection vulnerability in airc.pt/solucoes-servicos.solucoes MyNET v.26.06 and before allows a remote attacker to execute arbitrary code via the src parameter.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Iframe injection vulnerability in public-facing web application allows remote unauthenticated attacker with user interaction to achieve arbitrary code execution, directly mapping to exploitation of public-facing applications.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates CVE-2024-27708 by requiring identification, reporting, and correction of the specific iframe injection flaw in MyNET v.26.06 and earlier.
Enforces validation of the src parameter input to block malicious iframe injections leading to arbitrary code execution.
Filters output of the src parameter in iframe elements to prevent injection of arbitrary code by remote attackers.