CVE-2024-46506
Published: 13 May 2025
Summary
CVE-2024-46506 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Netalertx Netalertx. Its CVSS base score is 10.0 (Critical).
Operationally, ranked in the top 0.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).
Deeper analysis
NetAlertX versions 23.01.14 through 24.x before 24.10.12 contain an unauthenticated command injection vulnerability in the settings update mechanism. The flaw stems from missing authentication checks on the savesettings function in settings.php and util.php, allowing remote attackers to execute arbitrary commands on the underlying system.
Unauthenticated attackers with network access can exploit the issue by directly invoking the vulnerable endpoint, achieving full remote code execution with impacts across confidentiality, integrity, and availability. The CVSS 10.0 score reflects the absence of required credentials or user interaction combined with the scope of compromise.
The referenced research from Rhino Security Labs details the root cause and confirms the issue was exploited in the wild in May 2025. Upgrading to version 24.10.12 addresses the missing authentication requirement.
The associated EPSS score has reached a peak of 0.9149 with a current value of 0.9096, indicating sustained exploitation interest following public disclosure.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-14500
Vulnerability details
NetAlertX 23.01.14 through 24.x before 24.10.12 allows unauthenticated command injection via settings update because function=savesettings lacks an authentication requirement, as exploited in the wild in May 2025. This is related to settings.php and util.php.
- CWE(s)
Related Threats
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authentication and authorization checks on the savesettings function to block unauthenticated command injection.
Requires identification and authentication of users before allowing access to the vulnerable settings endpoint.
Validates and sanitizes input to the savesettings function, mitigating command injection even if the endpoint is reached.
Hardening callouts derived
Configuration rules from DISA STIG baselines that reduce the attack surface for weaknesses of the type cited by this CVE. Derived transitively via CVE→CWE→STIG over `controls_xwalks` (authoritative rows only).
Oracle Linux 8 (2 rules)
- V-248585 OL 8 must require reauthentication when using the "sudo" command. via CWE-306
- V-248827 OL 8 must not have the rsh-server package installed. via CWE-306
RHEL 7 (2 rules)
- V-204442 The Red Hat Enterprise Linux operating system must not have the rsh-server package installed. via CWE-306
- V-237635 The Red Hat Enterprise Linux operating system must require re-authentication when using the "sudo" command. via CWE-306
RHEL 8 (2 rules)
- V-230492 RHEL 8 must not have the rsh-server package installed. via CWE-306
- V-237643 RHEL 8 must require re-authentication when using the "sudo" command. via CWE-306