Cyber Resilience

CVE-2024-55030

CriticalPublic PoCRCE

Published: 25 March 2025

Published
25 March 2025
Modified
03 April 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0558 90.5th percentile
Risk Priority 23 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-55030 is a critical-severity Command Injection (CWE-77) vulnerability in Nasa Fprime. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 9.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-55030 is a command injection vulnerability (CWE-77) in the Command Dispatcher Service of NASA Fprime version 3.4.3. The flaw carries a CVSS 3.1 score of 9.8 and permits unauthenticated remote attackers to execute arbitrary operating-system commands.

An attacker with network access can submit crafted input to the affected service and obtain code execution with the privileges of the Fprime process, resulting in full confidentiality, integrity, and availability impact without requiring user interaction or credentials.

Public analysis published by VisionSpace details the remote-code-execution issues present in the same Fprime release. The associated EPSS score rose from lower values to a peak of 0.1446 on 2026-03-08 before receding to the current 0.0558, indicating measurable post-disclosure exploitation interest.

EU & UK References

Vulnerability details

A command injection vulnerability in the Command Dispatcher Service of NASA Fprime v3.4.3 allows attackers to execute arbitrary commands.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

Command injection vulnerability enables remote arbitrary command execution on a network-accessible service (T1190: Exploit Public-Facing Application) and directly facilitates OS command execution (T1059: Command and Scripting Interpreter).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-55028Same product: Nasa Fprime
CVE-2026-41144Same product: Nasa Fprime
CVE-2025-67397Shared CWE-77
CVE-2026-21897Same vendor: Nasa
CVE-2025-24818Shared CWE-77
CVE-2025-9223Shared CWE-77
CVE-2026-8431Shared CWE-77
CVE-2026-44869Shared CWE-77
CVE-2025-70093Shared CWE-77
CVE-2025-0593Shared CWE-77

Affected Assets

nasa
fprime
3.4.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents command injection attacks by validating and sanitizing all inputs to the vulnerable Command Dispatcher Service.

prevent

Mitigates the vulnerability through timely flaw remediation, including patching the command injection issue in NASA Fprime v3.4.3.

prevent

Limits damage from successful command injection by enforcing least privilege on processes handling commands in the dispatcher service.

References