Cyber Posture

CVE-2024-54756

CriticalRCE

Published: 20 February 2025

Published
20 February 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0211 84.2th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-54756 is a critical-severity Code Injection (CWE-94) vulnerability. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 15.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

SI-2 requires organizations to identify, report, and correct flaws like the ZScript RCE in GZDoom, directly preventing exploitation through timely patching.

SI-3 Malicious Code Protection good match
preventdetect

SI-3 mandates malicious code protection mechanisms that scan and block crafted PK3 files containing malicious ZScript before execution.

SI-10 Information Input Validation good match
prevent

SI-10 enforces validation of information inputs such as PK3 file contents to prevent improper control of code generation leading to RCE via malicious ZScript.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
attack.mitre.org →
Why these techniques?

RCE via crafted input directly enables remote exploitation of a public-facing app (T1190) and arbitrary command/script execution (T1059).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A remote code execution (RCE) vulnerability in the ZScript function of ZDoom Team GZDoom v4.13.1 allows attackers to execute arbitrary code via supplying a crafted PK3 file containing a malicious ZScript source file.

Deeper analysisAI

CVE-2024-54756 is a remote code execution (RCE) vulnerability affecting the ZScript function in ZDoom Team GZDoom version 4.13.1. The flaw allows attackers to execute arbitrary code by supplying a crafted PK3 file that contains a malicious ZScript source file. It has been assigned a CVSS v3.1 base score of 9.8, indicating critical severity, and is associated with CWE-94 (Improper Control of Generation of Code).

The vulnerability can be exploited remotely over the network (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N) or user interaction (UI:N), and results in high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H) within the unchanged scope (S:U). Any unauthenticated attacker can leverage this by delivering the malicious PK3 file, potentially gaining full control over the affected GZDoom instance.

References include a proof-of-concept (PoC) exploit at https://github.com/Chainmanner/GZDoom-Arbitrary-Code-Execution-via-ZScript-PoC and disclosures on the Full Disclosure mailing list at https://seclists.org/fulldisclosure/2025/Feb/11 and http://seclists.org/fulldisclosure/2025/Feb/11. No specific patch or mitigation details are detailed in the provided CVE information.

Details

CWE(s)
CWE-94

CVEs Like This One

CVE-2025-22906Shared CWE-94
CVE-2025-71281Shared CWE-94
CVE-2024-9132Shared CWE-94
CVE-2024-50658Shared CWE-94
CVE-2026-32525Shared CWE-94
CVE-2024-21760Shared CWE-94
CVE-2025-70830Shared CWE-94
CVE-2024-55028Shared CWE-94
CVE-2025-26936Shared CWE-94
CVE-2026-6543Shared CWE-94

References