Cyber Resilience

CVE-2024-50660

CriticalRCE

Published: 07 January 2025

Published
07 January 2025
Modified
10 October 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0153 81.7th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-50660 is a critical-severity Code Injection (CWE-94) vulnerability in Ipublishmedia Adportal. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 18.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-50660 is a critical file upload bypass vulnerability in AdPortal 3.0.39, enabling remote attackers to execute arbitrary code through the file upload functionality. Assigned CWE-94 (code injection), it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its network accessibility, low attack complexity, lack of required privileges or user interaction, and potential for complete compromise of confidentiality, integrity, and availability.

Any unauthenticated remote attacker can exploit this vulnerability by uploading malicious files via the affected functionality, leading to arbitrary code execution on the server. The attack requires no special privileges or user interaction, making it highly practical for widespread exploitation against exposed AdPortal 3.0.39 instances.

Mitigation details are available in vendor advisories and related documents, including resources at http://adportal.com, http://ipublish.com, and https://petercipolone.info/wp-content/uploads/2025/01/iPublishMedia_AdPortal3.0.39_CVEs.pdf, which security practitioners should review for patching instructions, workarounds, or configuration changes. The vulnerability was published on 2025-01-07.

EU & UK References

Vulnerability details

File Upload Bypass was found in AdPortal 3.0.39 allows a remote attacker to execute arbitrary code via the file upload functionality

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Direct unauthenticated RCE on public-facing web app via malicious file upload enables T1190 and web shell deployment (T1505.003).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-50658Same product: Ipublishmedia Adportal
CVE-2024-57487Shared CWE-94
CVE-2025-70995Shared CWE-94
CVE-2026-32367Shared CWE-94
CVE-2026-3352Shared CWE-94
CVE-2026-30117Shared CWE-94
CVE-2026-45708Shared CWE-94
CVE-2023-53888Shared CWE-94
CVE-2026-26699Shared CWE-94
CVE-2025-70073Shared CWE-94

Affected Assets

ipublishmedia
adportal
3.0.39

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 directly prevents file upload bypass vulnerabilities by enforcing validation of uploaded files to block malicious code injection.

prevent

SI-9 restricts file upload inputs by type, size, and other attributes, mitigating bypasses that allow arbitrary code execution.

prevent

SI-2 requires timely patching and remediation of the specific file upload flaw in AdPortal 3.0.39.

References