CVE-2024-55466
Published: 12 May 2025
Summary
CVE-2024-55466 is a medium-severity Command Injection (CWE-77) vulnerability in Thingsboard Thingsboard. Its CVSS base score is 6.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique SVG Smuggling (T1027.017); ranked in the top 36.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-14279
Vulnerability details
An arbitrary file upload vulnerability in the Image Gallery of ThingsBoard Community, ThingsBoard Cloud and ThingsBoard Professional v3.8.1 allows attackers to execute arbitrary code via uploading a crafted file.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Arbitrary file upload enables SVG smuggling (T1027.017) of JavaScript payloads (T1059.007) for stored XSS, facilitating exploitation for privilege escalation (T1068) and credential access through web session cookie theft (T1212, T1539).
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.