CVE-2024-38288
Published: 25 July 2024
Summary
CVE-2024-38288 is a high-severity Command Injection (CWE-77) vulnerability in Rhubcom Turbomeeting. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked in the top 1.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2024-38288 is a command-injection vulnerability, tracked under CWE-77, that affects the Certificate Signing Request functionality in R-HUB TurboMeeting through version 8.x. The flaw resides in the handling of CSR input on the server side and carries a CVSS 3.1 score of 7.2.
An attacker who has already obtained administrator credentials can submit a crafted CSR over the network and cause the application to execute arbitrary operating-system commands as root, resulting in full control of the underlying server.
Public references point to a detailed Google security-research advisory (GHSA-gx6g-8mvx-3q5c) and R-HUB product manuals for additional context, though no specific patch or mitigation steps are enumerated in the available references. The associated EPSS score sits at 0.6854 with no documented rise from a lower baseline.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-37248
Vulnerability details
A command-injection issue in the Certificate Signing Request (CSR) functionality in R-HUB TurboMeeting through 8.x allows authenticated attackers with administrator privileges to execute arbitrary commands on the underlying server as root.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection in CSR functionality enables authenticated admins to execute arbitrary Unix shell commands (T1059.004) as root via exploitation of the remote web service (T1210), facilitating privilege escalation (T1068).
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.