CVE-2024-38289
Published: 25 July 2024
Summary
CVE-2024-38289 is a critical-severity SQL Injection (CWE-89) vulnerability in Rhubcom Turbomeeting. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
A boolean-based SQL injection vulnerability exists in the Virtual Meeting Password (VMP) endpoint of R-HUB TurboMeeting through version 8.x. Tracked as CVE-2024-38289 and assigned CWE-89, the flaw carries a CVSS 3.1 score of 9.8 and permits crafted SQL input to interact directly with the backend database.
Unauthenticated remote attackers can supply malicious payloads to the VMP endpoint to extract password hashes stored in the database and subsequently authenticate to the application, achieving full access without any prior credentials or user interaction.
Public references consist of the Google security-research advisory GHSA-vx5j-8pgx-v42v and the vendor’s product manuals at rhubcom.com; the EPSS score stands at 0.8425 with no material increase from a lower baseline after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-37249
Vulnerability details
A boolean-based SQL injection issue in the Virtual Meeting Password (VMP) endpoint in R-HUB TurboMeeting through 8.x allows unauthenticated remote attackers to extract hashed passwords from the database, and authenticate to the application, via crafted SQL input.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in public-facing web app enables unauthenticated exploitation (T1190), credential theft via database query for hashed admin passwords (T1212), and data collection from backend database (T1213.006).
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.