Cyber Resilience

CVE-2024-46506

CriticalPublic PoCHigh EPSSUpdated

Published: 13 May 2025

Published
13 May 2025
Modified
17 June 2026
KEV Added
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.6231 99.1th percentile
Risk Priority 80 floored blend · peak EPSS

Summary

CVE-2024-46506 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Netalertx Netalertx. Its CVSS base score is 10.0 (Critical).

Operationally, ranked in the top 0.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).

Deeper analysis

NetAlertX versions 23.01.14 through 24.x before 24.10.12 contain an unauthenticated command injection vulnerability in the settings update mechanism. The flaw stems from missing authentication checks on the savesettings function in settings.php and util.php, allowing remote attackers to execute arbitrary commands on the underlying system.

Unauthenticated attackers with network access can exploit the issue by directly invoking the vulnerable endpoint, achieving full remote code execution with impacts across confidentiality, integrity, and availability. The CVSS 10.0 score reflects the absence of required credentials or user interaction combined with the scope of compromise.

The referenced research from Rhino Security Labs details the root cause and confirms the issue was exploited in the wild in May 2025. Upgrading to version 24.10.12 addresses the missing authentication requirement.

The associated EPSS score has reached a peak of 0.9149 with a current value of 0.9096, indicating sustained exploitation interest following public disclosure.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

NetAlertX 23.01.14 through 24.x before 24.10.12 allows unauthenticated command injection via settings update because function=savesettings lacks an authentication requirement, as exploited in the wild in May 2025. This is related to settings.php and util.php.

CWE(s)

Related Threats

CVEs Like This One

CVE-2025-32440Same product: Netalertx Netalertx
CVE-2024-48766Same product: Netalertx Netalertx
CVE-2025-48952Same product: Netalertx Netalertx
CVE-2026-1023Shared CWE-306
CVE-2024-48882Shared CWE-306
CVE-2026-28468Shared CWE-306
CVE-2026-2603Shared CWE-306
CVE-2021-44262Shared CWE-306
CVE-2026-24423Shared CWE-306
CVE-2026-25084Shared CWE-306

Affected Assets

netalertx
netalertx
23.01.14 — 24.10.12

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authentication and authorization checks on the savesettings function to block unauthenticated command injection.

prevent

Requires identification and authentication of users before allowing access to the vulnerable settings endpoint.

prevent

Validates and sanitizes input to the savesettings function, mitigating command injection even if the endpoint is reached.

Hardening callouts derived

Configuration rules from DISA STIG baselines that reduce the attack surface for weaknesses of the type cited by this CVE. Derived transitively via CVE→CWE→STIG over `controls_xwalks` (authoritative rows only).

Oracle Linux 8 (2 rules)
  • V-248585 OL 8 must require reauthentication when using the "sudo" command. via CWE-306
  • V-248827 OL 8 must not have the rsh-server package installed. via CWE-306
RHEL 7 (2 rules)
  • V-204442 The Red Hat Enterprise Linux operating system must not have the rsh-server package installed. via CWE-306
  • V-237635 The Red Hat Enterprise Linux operating system must require re-authentication when using the "sudo" command. via CWE-306
RHEL 8 (2 rules)
  • V-230492 RHEL 8 must not have the rsh-server package installed. via CWE-306
  • V-237643 RHEL 8 must require re-authentication when using the "sudo" command. via CWE-306

References