CVE-2024-28892
Published: 21 November 2024
Summary
CVE-2024-28892 is a critical-severity OS Command Injection (CWE-78) vulnerability in Mayuresh82 Gocast. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 16.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
An OS command injection vulnerability exists in the name parameter of GoCast version 1.1.3 and is tracked as CVE-2024-28892. The flaw, categorized under CWE-78, allows a specially crafted HTTP request to execute arbitrary operating system commands on the affected system. It carries a CVSS 3.1 score of 9.8, reflecting network-accessible, low-complexity exploitation with no required authentication or user interaction.
An unauthenticated attacker can trigger the issue by sending a malicious HTTP request to the vulnerable parameter, resulting in full compromise of confidentiality, integrity, and availability on the target host. The attack requires only the ability to reach the GoCast service over the network.
The EPSS score for this CVE rose from a low baseline to a peak of 0.0665 on 2025-12-11 before receding to the current value of 0.0185, indicating a period of increased exploitation interest after disclosure. Detailed analysis is available in the Talos Intelligence reports at the referenced URLs.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-3557
Vulnerability details
An OS command injection vulnerability exists in the name parameter of GoCast 1.1.3. A specially crafted HTTP request can lead to arbitrary command execution. An attacker can make an unauthenticated HTTP request to trigger this vulnerability.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.