CVE-2024-8684

High

Published: 10 February 2025

Published

10 February 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 8.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H

EPSS Score 0.0052 66.7th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Description

OS Command Injection vulnerability in Revolution Pi version 2022-07-28-revpi-buster from KUNBUS GmbH. This vulnerability could allow an authenticated attacker to execute OS commands on the device via the ‘php/dal.php’ endpoint, in the ‘arrSaveConfig’ parameter.

Security Summary

CVE-2024-8684 is an OS Command Injection vulnerability (CWE-78) in Revolution Pi version 2022-07-28-revpi-buster from KUNBUS GmbH. The issue affects the ‘php/dal.php’ endpoint, specifically through the ‘arrSaveConfig’ parameter, enabling injection of operating system commands. It has a CVSS v3.1 base score of 8.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H), indicating high severity due to network accessibility, low attack complexity, and significant impacts on integrity and availability.

An authenticated attacker with low privileges (PR:L) can exploit this vulnerability over the network without user interaction. By sending a specially crafted request to the vulnerable endpoint, the attacker can execute arbitrary OS commands on the Revolution Pi device, potentially compromising its integrity and availability, with limited confidentiality impact.

The INCIBE-CERT advisory on multiple vulnerabilities in KUNBUS GmbH's Revolution Pi (https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-kunbus-gmbhs-revolution-pi) provides further details, including mitigation recommendations for affected systems.

Details

CWE(s): CWE-78

References

https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-kunbus-gmbhs-revolution-pi
cve-coordination@incibe.es