CVE-2024-38346
Published: 05 July 2024
Summary
CVE-2024-38346 is a critical-severity Code Injection (CWE-94) vulnerability in Apache Cloudstack. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 15.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2024-38346 affects Apache CloudStack, specifically its cluster service that listens on an unauthenticated TCP port (default 9090). The service allows execution of arbitrary commands against hypervisors and management-server hosts; several of those commands contain injection flaws (CWE-94) that permit arbitrary code execution by agents that may run with elevated privileges on the target hosts.
An attacker with network reachability to the unauthenticated port can submit crafted requests that trigger remote code execution on any CloudStack-managed host, resulting in full compromise of confidentiality, integrity, and availability of the infrastructure. No authentication or user interaction is required, consistent with the CVSS 9.8 rating.
Advisories recommend immediately restricting inbound access to port 9090 so that only peer CloudStack management servers may connect, and upgrading to version 4.18.2.1, 4.19.0.2, or later.
The EPSS score rose from a low baseline to a peak of 0.0503 on 2025-12-18 before receding to the current value of 0.0223, indicating that exploitation interest increased after public disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-37272
Vulnerability details
The CloudStack cluster service runs on unauthenticated port (default 9090) that can be misused to run arbitrary commands on targeted hypervisors and CloudStack management server hosts. Some of these commands were found to have command injection vulnerabilities that can result…
more
in arbitrary code execution via agents on the hosts that may run as a privileged user. An attacker that can reach the cluster service on the unauthenticated port (default 9090), can exploit this to perform remote code execution on CloudStack managed hosts and result in complete compromise of the confidentiality, integrity, and availability of CloudStack managed infrastructure. Users are recommended to restrict the network access to the cluster service port (default 9090) on a CloudStack management server host to only its peer CloudStack management server hosts. Users are recommended to upgrade to version 4.18.2.1, 4.19.0.2 or later, which addresses this issue.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Makes persistent code injection into loaded programs impossible when the executable image itself resides on hardware-protected read-only media.
Dynamically generated code can be produced and executed inside the isolated chamber, preventing host compromise from code-injection payloads.
Validates inputs used in dynamic code generation to block injected directives.
Directly prevents execution of attacker-supplied code written into data memory regions.