CVE-2024-8684
Published: 10 February 2025
Summary
CVE-2024-8684 is a high-severity OS Command Injection (CWE-78) vulnerability. Its CVSS base score is 8.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked in the top 32.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2024-8684 is an OS Command Injection vulnerability (CWE-78) in Revolution Pi version 2022-07-28-revpi-buster from KUNBUS GmbH. The issue affects the ‘php/dal.php’ endpoint, specifically through the ‘arrSaveConfig’ parameter, enabling injection of operating system commands. It has a CVSS v3.1 base score of 8.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H), indicating high severity due to network accessibility, low attack complexity, and significant impacts on integrity and availability.
An authenticated attacker with low privileges (PR:L) can exploit this vulnerability over the network without user interaction. By sending a specially crafted request to the vulnerable endpoint, the attacker can execute arbitrary OS commands on the Revolution Pi device, potentially compromising its integrity and availability, with limited confidentiality impact.
The INCIBE-CERT advisory on multiple vulnerabilities in KUNBUS GmbH's Revolution Pi (https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-kunbus-gmbhs-revolution-pi) provides further details, including mitigation recommendations for affected systems.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-5063
- 🇪🇸 INCIBE: www.incibe.es
Vulnerability details
OS Command Injection vulnerability in Revolution Pi version 2022-07-28-revpi-buster from KUNBUS GmbH. This vulnerability could allow an authenticated attacker to execute OS commands on the device via the ‘php/dal.php’ endpoint, in the ‘arrSaveConfig’ parameter.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection in a network-accessible PHP endpoint directly enables Unix shell command execution (T1059.004) and exploitation of a public-facing application (T1190).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 directly prevents OS command injection by requiring validation and sanitization of untrusted inputs like the arrSaveConfig parameter in the php/dal.php endpoint.
SI-2 ensures timely flaw remediation, such as patching the known OS command injection vulnerability in Revolution Pi version 2022-07-28-revpi-buster.
AC-6 limits damage from injected OS commands by enforcing least privilege on the PHP process handling the vulnerable endpoint.