Cyber Resilience

CVE-2024-40089

CriticalRCE

Published: 21 October 2024

Published
21 October 2024
Modified
07 July 2025
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0483 89.8th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-40089 is a critical-severity Command Injection (CWE-77) vulnerability in Viloliving Vilo 5 Firmware. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked in the top 10.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

A Command Injection vulnerability in Vilo 5 Mesh WiFi System <= 5.16.1.33 allows remote, authenticated attackers to execute arbitrary code by injecting shell commands into the name of the Vilo device.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Why these techniques?

Command injection vulnerability enables remote authenticated execution of arbitrary Unix shell commands (T1059.004) via exploitation of the device's remote management service (T1210).

Affected Assets

viloliving
vilo 5 firmware
≤ 5.16.1.33

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References