CVE-2024-48288
Published: 21 November 2024
Summary
CVE-2024-48288 is a high-severity Command Injection (CWE-77) vulnerability in Tp-Link Tl-Ipc42C Firmware. Its CVSS base score is 8.0 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 5.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
TP-Link TL-IPC42C V4.0_20211227_1.0.16 contains a command-injection vulnerability (CWE-77) that stems from missing validation of untrusted input on both the web frontend and backend. The flaw is rated CVSS 8.0 and permits an attacker to execute arbitrary operating-system commands on the affected camera firmware.
An attacker with network adjacency and a valid low-privileged account can supply crafted input that bypasses the missing checks, resulting in full control over the device and the ability to read, modify, or delete data as well as disrupt availability. No authentication beyond the local network login is required, and the attack does not depend on user interaction.
Public proof-of-concept code demonstrating remote code execution against this model has been published, yet no vendor advisory, firmware update, or mitigation guidance appears among the referenced sources. The associated EPSS score has remained steady at 0.1502 with no material increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-43172
Vulnerability details
TP-Link TL-IPC42C V4.0_20211227_1.0.16 is vulnerable to command injection due to the lack of malicious code verification on both the frontend and backend.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection vulnerability in TP-Link IP camera web interface (public-facing application) enables remote exploitation (T1190) for arbitrary command execution (T1059).
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.