Cyber Resilience

CVE-2024-37777

HighPublic PoCRCE

Published: 27 August 2025

Published
27 August 2025
Modified
09 September 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0053 67.8th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-37777 is a high-severity Improper Input Validation (CWE-20) vulnerability in Zoneland O2Oa. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 32.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2024-37777 is a remote code execution (RCE) vulnerability affecting O2OA version 9.0.3, specifically through the mainOutput() function. It has been assigned a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and is associated with CWE-20 (Improper Input Validation) and CWE-94 (Improper Control of Generation of Code). The flaw allows attackers to execute arbitrary code on the targeted system.

An unauthenticated attacker can exploit this vulnerability over the network with low complexity, though it requires user interaction, such as tricking a user into performing a specific action. Successful exploitation grants high-impact access to confidentiality, integrity, and availability, potentially leading to full system compromise, data theft, or further lateral movement within the environment.

The primary reference for this vulnerability is a GitHub issue at https://github.com/o2oa/o2oa/issues/158, which may provide additional details on patches or mitigation steps. Security practitioners should review it for vendor-specific remediation guidance and apply updates to affected O2OA deployments promptly.

EU & UK References

Vulnerability details

O2OA v9.0.3 was discovered to contain a remote code execution (RCE) vulnerability via the mainOutput() function.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

RCE via improper input validation/code generation in a network-accessible application directly enables exploitation of public-facing apps (T1190) leading to arbitrary command execution (T1059).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-42588Shared CWE-20, CWE-94
CVE-2026-27577Shared CWE-94
CVE-2025-57644Shared CWE-20, CWE-94
CVE-2024-54756Shared CWE-94
CVE-2024-21760Shared CWE-94
CVE-2024-55028Shared CWE-94
CVE-2025-2303Shared CWE-94
CVE-2025-55270Shared CWE-20
CVE-2026-41258Shared CWE-94
CVE-2025-67847Shared CWE-94

Affected Assets

zoneland
o2oa
9.0.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the CWE-20 improper input validation in the mainOutput() function that enables remote code execution.

prevent

Requires timely identification, reporting, and correction of the specific RCE flaw in O2OA v9.0.3.

prevent

Enables scanning for and remediation of the known vulnerability prior to exploitation attempts.

References