CVE-2024-42733
Published: 07 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2024-42733 is a critical code injection vulnerability (CWE-94) affecting Docmosis Tornado versions 2.9.7 and earlier. It enables a remote attacker to execute arbitrary code by supplying a crafted script to the UNC path input field within the software.
The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating it is exploitable over the network with low complexity, requiring no privileges or user interaction. An unauthenticated attacker can achieve full remote code execution, potentially compromising confidentiality, integrity, and availability of the affected system.
Mitigation details are discussed in referenced advisories, including a GitHub issue in the Docmosis tornado-docker repository (https://github.com/Docmosis/tornado-docker/issues/14) and a proof-of-concept in a related repository (https://github.com/Marsman1996/pocs/blob/master/redox/CVE-2024-57492/README.md). Security practitioners should review these for patching guidance and workarounds.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability is a remote code injection (CWE-94) in a public-facing Docmosis Tornado server allowing unauthenticated arbitrary code execution over the network, directly mapping to exploitation of public-facing applications for initial access and execution.