Cyber Resilience

CVE-2024-55078

Critical

Published: 03 January 2025

Published
03 January 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0019 41.4th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-55078 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 41.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2024-55078 is an arbitrary file upload vulnerability in the /adminUser/updateImg component of WukongCRM-11.0-JAVA version 11.3.3. Published on 2025-01-03, the issue carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-434 (Unrestricted Upload of File with Dangerous Type). It enables attackers to upload crafted files that result in arbitrary code execution.

Remote, unauthenticated attackers (PR:N) can exploit the vulnerability with low attack complexity (AC:L) and no user interaction (UI:N). Successful exploitation allows high-impact consequences, including unauthorized access to confidential data (C:H), modification of system integrity (I:H), and disruption of availability (A:H) via arbitrary code execution on the affected server.

Proof-of-concept details are available in provided references, including a GitHub Gist and a repository documenting the file upload vulnerability. No patch or mitigation guidance is specified in the available information.

EU & UK References

Vulnerability details

An arbitrary file upload vulnerability in the component /adminUser/updateImg of WukongCRM-11.0-JAVA v11.3.3 allows attackers to execute arbitrary code via uploading a crafted file.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Arbitrary file upload (CWE-434) in public-facing web app directly enables remote unauthenticated RCE via web shell deployment.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-46384Shared CWE-434
CVE-2025-13516Shared CWE-434
CVE-2024-13011Shared CWE-434
CVE-2025-8323Shared CWE-434
CVE-2025-21624Shared CWE-434
CVE-2026-35164Shared CWE-434
CVE-2026-2097Shared CWE-434
CVE-2025-12154Shared CWE-434
CVE-2026-42748Shared CWE-434
CVE-2025-32957Shared CWE-434

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation of uploaded files to reject dangerous types and crafted malicious content, directly preventing unrestricted file uploads leading to arbitrary code execution.

prevent

Enforces authentication and authorization for the /adminUser/updateImg endpoint, blocking unauthenticated remote attackers from exploiting the vulnerability.

preventdetect

Deploys malicious code protection mechanisms to scan and block uploaded crafted files capable of arbitrary code execution on the server.

References