Cyber Resilience

CVE-2024-38289

CriticalPublic PoC

Published: 25 July 2024

Published
25 July 2024
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.8425 99.3th percentile
Risk Priority 70 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-38289 is a critical-severity SQL Injection (CWE-89) vulnerability in Rhubcom Turbomeeting. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

A boolean-based SQL injection vulnerability exists in the Virtual Meeting Password (VMP) endpoint of R-HUB TurboMeeting through version 8.x. Tracked as CVE-2024-38289 and assigned CWE-89, the flaw carries a CVSS 3.1 score of 9.8 and permits crafted SQL input to interact directly with the backend database.

Unauthenticated remote attackers can supply malicious payloads to the VMP endpoint to extract password hashes stored in the database and subsequently authenticate to the application, achieving full access without any prior credentials or user interaction.

Public references consist of the Google security-research advisory GHSA-vx5j-8pgx-v42v and the vendor’s product manuals at rhubcom.com; the EPSS score stands at 0.8425 with no material increase from a lower baseline after disclosure.

EU & UK References

Vulnerability details

A boolean-based SQL injection issue in the Virtual Meeting Password (VMP) endpoint in R-HUB TurboMeeting through 8.x allows unauthenticated remote attackers to extract hashed passwords from the database, and authenticate to the application, via crafted SQL input.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1212 Exploitation for Credential Access Credential Access
Adversaries may exploit software vulnerabilities in an attempt to collect credentials.
T1213.006 Databases Collection
Adversaries may leverage databases to mine valuable information.
Why these techniques?

SQL injection in public-facing web app enables unauthenticated exploitation (T1190), credential theft via database query for hashed admin passwords (T1212), and data collection from backend database (T1213.006).

Affected Assets

rhubcom
turbomeeting
≤ 8.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-89

Penetration testing uses SQL injection payloads against database interfaces, identifying and supporting fixes for SQL injection weaknesses.

addresses: CWE-89

Validates query inputs to prevent SQL syntax or command manipulation.

References