Cyber Resilience

CVE-2026-24138

High

Published: 23 January 2026

Published
23 January 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0002 4.4th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-24138 is a high-severity SSRF (CWE-918) vulnerability. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 4.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AU-13 (Monitoring for Information Disclosure).

Deeper analysis

CVE-2026-24138 is an unauthenticated Server-Side Request Forgery (SSRF) vulnerability (CWE-918) in the FOG Project, a free open-source cloning, imaging, rescue suite, and inventory management system. It affects versions 1.5.10.1754 and below, specifically in the getversion.php component. The flaw arises from a user-controlled 'url' parameter that allows arbitrary resource fetching when exploited.

Remote attackers can exploit this vulnerability over the network with low attack complexity, no privileges, no user interaction, and no scope change (CVSS 7.5: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). Unauthenticated access is possible by including the 'newService=1' parameter in requests, enabling attackers to force the FOG server to fetch internal websites and local files on the host machine, resulting in high confidentiality impact through exposure of sensitive internal resources.

The GitHub Security Advisory at https://github.com/FOGProject/fogproject/security/advisories/GHSA-79xw-c2qx-g7xj documents the issue, published on 2026-01-23. No fixed release version was available at the time of publication.

EU & UK References

Vulnerability details

FOG is a free open-source cloning/imaging/rescue suite/inventory management system. Versions 1.5.10.1754 and below contain an unauthenticated SSRF vulnerability in getversion.php which can be triggered by providing a user-controlled url parameter. It can be used to fetch both internal websites and…

more

files on the machine running FOG. This appears to be reachable without an authenticated web session when the request includes newService=1. The issue does not have a fixed release version at the time of publication.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

Unauthenticated SSRF in public-facing getversion.php directly enables remote exploitation of a web app (T1190) and server-side retrieval of local/internal files/resources (T1005).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-13096Shared CWE-918
CVE-2025-56589Shared CWE-918
CVE-2024-25181Shared CWE-918
CVE-2025-55161Shared CWE-918
CVE-2024-12450Shared CWE-918
CVE-2024-37359Shared CWE-918
CVE-2024-8952Shared CWE-918
CVE-2025-55853Shared CWE-918
CVE-2024-13139Shared CWE-918
CVE-2026-6514Shared CWE-918

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents SSRF exploitation by validating and sanitizing the user-controlled 'url' parameter in getversion.php.

prevent

Mitigates SSRF impact by monitoring and controlling FOG server communications to block access to internal websites and files.

detect

Detects unauthorized disclosures of internal resources triggered by unauthenticated SSRF requests to getversion.php.

References