Cyber Resilience

CVE-2024-28892

CriticalRCE

Published: 21 November 2024

Published
21 November 2024
Modified
20 December 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0185 83.4th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-28892 is a critical-severity OS Command Injection (CWE-78) vulnerability in Mayuresh82 Gocast. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 16.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

An OS command injection vulnerability exists in the name parameter of GoCast version 1.1.3 and is tracked as CVE-2024-28892. The flaw, categorized under CWE-78, allows a specially crafted HTTP request to execute arbitrary operating system commands on the affected system. It carries a CVSS 3.1 score of 9.8, reflecting network-accessible, low-complexity exploitation with no required authentication or user interaction.

An unauthenticated attacker can trigger the issue by sending a malicious HTTP request to the vulnerable parameter, resulting in full compromise of confidentiality, integrity, and availability on the target host. The attack requires only the ability to reach the GoCast service over the network.

The EPSS score for this CVE rose from a low baseline to a peak of 0.0665 on 2025-12-11 before receding to the current value of 0.0185, indicating a period of increased exploitation interest after disclosure. Detailed analysis is available in the Talos Intelligence reports at the referenced URLs.

EU & UK References

Vulnerability details

An OS command injection vulnerability exists in the name parameter of GoCast 1.1.3. A specially crafted HTTP request can lead to arbitrary command execution. An attacker can make an unauthenticated HTTP request to trigger this vulnerability.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

mayuresh82
gocast
1.1.3

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References