CVE-2024-37777
Published: 27 August 2025
Summary
CVE-2024-37777 is a high-severity Improper Input Validation (CWE-20) vulnerability in Zoneland O2Oa. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 32.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2024-37777 is a remote code execution (RCE) vulnerability affecting O2OA version 9.0.3, specifically through the mainOutput() function. It has been assigned a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and is associated with CWE-20 (Improper Input Validation) and CWE-94 (Improper Control of Generation of Code). The flaw allows attackers to execute arbitrary code on the targeted system.
An unauthenticated attacker can exploit this vulnerability over the network with low complexity, though it requires user interaction, such as tricking a user into performing a specific action. Successful exploitation grants high-impact access to confidentiality, integrity, and availability, potentially leading to full system compromise, data theft, or further lateral movement within the environment.
The primary reference for this vulnerability is a GitHub issue at https://github.com/o2oa/o2oa/issues/158, which may provide additional details on patches or mitigation steps. Security practitioners should review it for vendor-specific remediation guidance and apply updates to affected O2OA deployments promptly.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-54917
Vulnerability details
O2OA v9.0.3 was discovered to contain a remote code execution (RCE) vulnerability via the mainOutput() function.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
RCE via improper input validation/code generation in a network-accessible application directly enables exploitation of public-facing apps (T1190) leading to arbitrary command execution (T1059).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the CWE-20 improper input validation in the mainOutput() function that enables remote code execution.
Requires timely identification, reporting, and correction of the specific RCE flaw in O2OA v9.0.3.
Enables scanning for and remediation of the known vulnerability prior to exploitation attempts.