Cyber Resilience

CVE-2024-54794

CriticalPublic PoCRCE

Published: 21 January 2025

Published
21 January 2025
Modified
17 October 2025
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0298 86.8th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-54794 is a critical-severity Command Injection (CWE-77) vulnerability in Eng Spagobi. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 13.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2024-54794 affects SpagoBI version 3.5.1, where the script input feature enables arbitrary code execution. This vulnerability, published on 2025-01-21, is classified under CWE-77 (Command Injection) and carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H), indicating critical severity due to its potential for severe impacts across confidentiality, integrity, and availability.

Exploitation requires network access, low complexity, and high privileges (PR:H) but no user interaction. A privileged attacker can leverage the script input feature to execute arbitrary code, achieving high-impact effects with a scope change (S:C), which could result in full compromise of the affected system.

Research on the vulnerability, including potential exploitation details, is documented in the following GitHub repositories: https://github.com/MarioTesoro/CVE-2024-54794 and https://github.com/MarioTesoro/vulnerability-research/tree/main/CVE-2024-54794. No official patches or mitigation guidance from vendor advisories is detailed in the available information.

EU & UK References

Vulnerability details

The script input feature of SpagoBI 3.5.1 allows arbitrary code execution.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

CVE describes command injection in public-facing SpagoBI web app script input, directly enabling T1190 exploitation and T1059 arbitrary command/script execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-67397Shared CWE-77
CVE-2024-55030Shared CWE-77
CVE-2025-24818Shared CWE-77
CVE-2025-9223Shared CWE-77
CVE-2026-8431Shared CWE-77
CVE-2026-44869Shared CWE-77
CVE-2025-70093Shared CWE-77
CVE-2025-0593Shared CWE-77
CVE-2026-34259Shared CWE-77
CVE-2026-44866Shared CWE-77

Affected Assets

eng
spagobi
3.5.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents command injection in the script input feature by validating all user-supplied inputs for malicious content.

prevent

Remediates the specific command injection flaw in SpagoBI 3.5.1 through timely patching or vendor-recommended mitigations.

prevent

Enforces least functionality by disabling or restricting the vulnerable script input feature when not essential for operations.

References