CVE-2024-57763
Published: 15 January 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2024-57763 is a deserialization vulnerability (CWE-502) in MSFM versions prior to 2025.01.01, stemming from unsafe use of the fastjson library in the system/table/addField component. This flaw allows attackers to process untrusted data, leading to potential remote code execution or other severe impacts. The vulnerability received a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), classifying it as critical due to its network accessibility, low complexity, and lack of prerequisites.
Unauthenticated remote attackers can exploit this vulnerability over the network with minimal effort and no user interaction required. Successful exploitation grants high confidentiality and integrity impacts, enabling attackers to access sensitive data or manipulate system state, such as executing arbitrary code through crafted deserialization payloads sent to the affected endpoint.
Mitigation involves upgrading to MSFM version 2025.01.01 or later, which addresses the fastjson deserialization issue. Additional details are available in the advisory at https://gitee.com/wanglingxiao/mysiteforme/issues/IBFVFD.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The fastjson deserialization vulnerability in the /admin/system/table/addField endpoint allows authenticated remote code execution via crafted JSON payloads using gadgets like JdbcRowSetImpl for JNDI/RMI lookups, enabling exploitation of a public-facing web application.