CVE-2024-57764
Published: 15 January 2025
Description
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Security Summary
MSFM versions prior to 2025.01.01 contain a deserialization vulnerability in the FastJSON library, accessible via the system/table/add component. Tracked as CVE-2024-57764 and published on 2025-01-15, this flaw is classified under CWE-502 (Deserialization of Untrusted Data) with a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating critical severity due to its potential for high confidentiality and integrity impacts.
Unauthenticated attackers can exploit this vulnerability remotely with low attack complexity and no user interaction required. Exploitation involves sending crafted requests to the affected endpoint, enabling severe consequences such as unauthorized access to sensitive data or modification of system state, consistent with the high confidentiality and integrity impact metrics.
The advisory referenced at https://gitee.com/wanglingxiao/mysiteforme/issues/IBFVCZ details the issue, with mitigation achieved by upgrading to MSFM version 2025.01.01 or later, which addresses the deserialization flaw in the FastJSON component.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The fastjson deserialization vulnerability in the /admin/system/table/add endpoint allows authenticated remote code execution through crafted JSON payloads using Java deserialization gadgets like JdbcRowSetImpl with RMI callbacks.