CVE-2024-13089

An OS command injection vulnerability within the update functionality may allow an authenticated administrator to execute unauthorized arbitrary OS commands. Users with administrative privileges may upload update packages to upgrade the versions of Nozomi Networks Guardian and CMC. While these updates are signed and their signatures are validated prior to installation, an improper signature validation check has been identified. This issue could potentially enable users to execute commands remotely on the appliance, thereby impacting confidentiality, integrity, and availability.

CVSS v3 7.2 HIGH

7.2^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://security.nozominetworks.com/NN-2025:1-01

Configurations

No configuration.

History

12 Jun 2025, 16:06

Type	Values Removed	Values Added
Summary		(es) Una vulnerabilidad de inyección de comandos del sistema operativo en la funcionalidad de actualización podría permitir que un administrador autenticado ejecute comandos arbitrarios del sistema operativo no autorizados. Los usuarios con privilegios administrativos podrían cargar paquetes de actualización para actualizar las versiones de Nozomi Networks Guardian y CMC. Si bien estas actualizaciones están firmadas y sus firmas se validan antes de la instalación, se ha identificado una comprobación incorrecta de la validación de firmas. Este problema podría permitir que los usuarios ejecuten comandos de forma remota en el dispositivo, lo que afectaría la confidencialidad, la integridad y la disponibilidad.

10 Jun 2025, 11:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-06-10 11:15

Updated : 2025-06-12 16:06

NVD link : CVE-2024-13089

Mitre link : CVE-2024-13089

CVE.ORG link : CVE-2024-13089

JSON object : View

Products Affected

No product.

CWE

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

{"id": "CVE-2024-13089", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "prodsec@nozominetworks.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.2}], "cvssMetricV40": [{"type": "Secondary", "source": "prodsec@nozominetworks.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7.5, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "HIGH", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-06-10T11:15:52.113", "references": [{"url": "https://security.nozominetworks.com/NN-2025:1-01", "source": "prodsec@nozominetworks.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "prodsec@nozominetworks.com", "description": [{"lang": "en", "value": "CWE-78"}]}], "descriptions": [{"lang": "en", "value": "An OS command injection vulnerability within the update functionality may allow an authenticated administrator to execute unauthorized arbitrary OS commands.\n\n\n\nUsers with administrative privileges may upload update packages to upgrade the versions of Nozomi Networks Guardian and CMC.\n\nWhile these updates are signed and their signatures are validated prior to installation, an improper signature validation check has been identified.\n\nThis issue could potentially enable users to execute commands remotely on the appliance, thereby impacting confidentiality, integrity, and availability."}, {"lang": "es", "value": "Una vulnerabilidad de inyecci\u00f3n de comandos del sistema operativo en la funcionalidad de actualizaci\u00f3n podr\u00eda permitir que un administrador autenticado ejecute comandos arbitrarios del sistema operativo no autorizados. Los usuarios con privilegios administrativos podr\u00edan cargar paquetes de actualizaci\u00f3n para actualizar las versiones de Nozomi Networks Guardian y CMC. Si bien estas actualizaciones est\u00e1n firmadas y sus firmas se validan antes de la instalaci\u00f3n, se ha identificado una comprobaci\u00f3n incorrecta de la validaci\u00f3n de firmas. Este problema podr\u00eda permitir que los usuarios ejecuten comandos de forma remota en el dispositivo, lo que afectar\u00eda la confidencialidad, la integridad y la disponibilidad."}], "lastModified": "2025-06-12T16:06:39.330", "sourceIdentifier": "prodsec@nozominetworks.com"}