Cyber Resilience

CVE-2024-8684

HighRCE

Published: 10 February 2025

Published
10 February 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H
EPSS Score 0.0052 67.1th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-8684 is a high-severity OS Command Injection (CWE-78) vulnerability. Its CVSS base score is 8.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked in the top 32.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-8684 is an OS Command Injection vulnerability (CWE-78) in Revolution Pi version 2022-07-28-revpi-buster from KUNBUS GmbH. The issue affects the ‘php/dal.php’ endpoint, specifically through the ‘arrSaveConfig’ parameter, enabling injection of operating system commands. It has a CVSS v3.1 base score of 8.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H), indicating high severity due to network accessibility, low attack complexity, and significant impacts on integrity and availability.

An authenticated attacker with low privileges (PR:L) can exploit this vulnerability over the network without user interaction. By sending a specially crafted request to the vulnerable endpoint, the attacker can execute arbitrary OS commands on the Revolution Pi device, potentially compromising its integrity and availability, with limited confidentiality impact.

The INCIBE-CERT advisory on multiple vulnerabilities in KUNBUS GmbH's Revolution Pi (https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-kunbus-gmbhs-revolution-pi) provides further details, including mitigation recommendations for affected systems.

EU & UK References

Vulnerability details

OS Command Injection vulnerability in Revolution Pi version 2022-07-28-revpi-buster from KUNBUS GmbH. This vulnerability could allow an authenticated attacker to execute OS commands on the device via the ‘php/dal.php’ endpoint, in the ‘arrSaveConfig’ parameter.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

OS command injection in a network-accessible PHP endpoint directly enables Unix shell command execution (T1059.004) and exploitation of a public-facing application (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-42454Shared CWE-78
CVE-2026-34796Shared CWE-78
CVE-2024-57016Shared CWE-78
CVE-2025-50475Shared CWE-78
CVE-2024-57015Shared CWE-78
CVE-2026-36828Shared CWE-78
CVE-2024-57595Shared CWE-78
CVE-2026-25196Shared CWE-78
CVE-2024-50566Shared CWE-78
CVE-2026-23592Shared CWE-78

Affected Assets

Revolution Pi
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 directly prevents OS command injection by requiring validation and sanitization of untrusted inputs like the arrSaveConfig parameter in the php/dal.php endpoint.

prevent

SI-2 ensures timely flaw remediation, such as patching the known OS command injection vulnerability in Revolution Pi version 2022-07-28-revpi-buster.

prevent

AC-6 limits damage from injected OS commands by enforcing least privilege on the PHP process handling the vulnerable endpoint.

References