Cyber Resilience

CVE-2024-27708

CriticalPublic PoC

Published: 22 December 2025

Published
22 December 2025
Modified
02 January 2026
KEV Added
Patch
CVSS Score v3.1 9.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.0051 39.6th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-27708 is a critical-severity Injection (CWE-74) vulnerability in Airc Mynet. Its CVSS base score is 9.6 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 39.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2024-27708 is an iframe injection vulnerability in airc.pt/solucoes-servicos.solucoes MyNET versions 26.06 and earlier. The flaw allows a remote attacker to execute arbitrary code by manipulating the src parameter, as associated with CWEs-74 and CWE-75. Published on 2025-12-22, it carries a CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H).

A remote attacker requires no privileges and can exploit the vulnerability over the network with low attack complexity, though user interaction is necessary. Successful exploitation changes the scope and enables high-impact effects on confidentiality, integrity, and availability, culminating in arbitrary code execution on the targeted system.

Mitigation details are available in related advisories, including https://github.com/esquim0/Common_Vulnerabilities_and_Exposures_CVE/blob/main/2024/MyNet.md and the vendor site at https://www.airc.pt/solucoes-servicos/solucoes?segment=MYN.

EU & UK References

Vulnerability details

Iframe injection vulnerability in airc.pt/solucoes-servicos.solucoes MyNET v.26.06 and before allows a remote attacker to execute arbitrary code via the src parameter.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Iframe injection vulnerability in public-facing web application allows remote unauthenticated attacker with user interaction to achieve arbitrary code execution, directly mapping to exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-64428Shared CWE-74
CVE-2022-31631Shared CWE-74
CVE-2026-6279Shared CWE-74
CVE-2026-32695Shared CWE-74
CVE-2026-7770Shared CWE-74
CVE-2026-26002Shared CWE-74
CVE-2026-45344Shared CWE-74
CVE-2026-27727Shared CWE-74
CVE-2026-31908Shared CWE-75
CVE-2024-39604Shared CWE-74

Affected Assets

airc
mynet
≤ 26.06

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates CVE-2024-27708 by requiring identification, reporting, and correction of the specific iframe injection flaw in MyNET v.26.06 and earlier.

prevent

Enforces validation of the src parameter input to block malicious iframe injections leading to arbitrary code execution.

prevent

Filters output of the src parameter in iframe elements to prevent injection of arbitrary code by remote attackers.

References