Skip to main content

CVE-2024-13089

| EUVDEUVD-2024-54660 HIGH
OS Command Injection (CWE-78)
2025-06-10 prodsec@nozominetworks.com
7.2
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.2 HIGH
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 06:43 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
24.6.0
EUVD ID Assigned
Mar 14, 2026 - 19:49 euvd
EUVD-2024-54660
Analysis Generated
Mar 14, 2026 - 19:49 vuln.today
CVE Published
Jun 10, 2025 - 11:15 nvd
HIGH 7.2

DescriptionCVE.org

An OS command injection vulnerability within the update functionality may allow an authenticated administrator to execute unauthorized arbitrary OS commands.

Users with administrative privileges may upload update packages to upgrade the versions of Nozomi Networks Guardian and CMC.

While these updates are signed and their signatures are validated prior to installation, an improper signature validation check has been identified.

This issue could potentially enable users to execute commands remotely on the appliance, thereby impacting confidentiality, integrity, and availability.

AnalysisAI

CVE-2024-13089 is an OS command injection vulnerability in the update functionality of Nozomi Networks Guardian and CMC appliances that allows authenticated administrators to bypass signature validation and execute arbitrary OS commands. While the vulnerability requires high-privilege administrative access, the improper cryptographic signature validation on update packages creates a critical integrity bypass that could lead to complete system compromise. The attack is network-accessible with no user interaction required once an administrator initiates an update.

Technical ContextAI

The vulnerability exists in the update package processing mechanism of Nozomi Networks Guardian and CMC products (CPE identifiers: cpe:2.3:a:nozominetworks:guardian:* and cpe:2.3:a:nozominetworks:cmc:*). The root cause is classified under CWE-78 (Improper Neutralization of Special Elements used in an OS Command) combined with an improper cryptographic signature validation weakness (CWE-347). Administrators can upload digitally signed update packages; however, the signature validation logic contains a flaw that fails to properly authenticate the package integrity before processing. This allows injection of malicious OS commands within update payloads that are executed with elevated privileges during the update installation process. The vulnerability bypasses intended security controls designed to ensure only legitimate, vendor-signed updates are processed.

RemediationAI

Immediate actions: (1) Apply the latest security patches from Nozomi Networks as soon as available—vendor advisory and patch links should be obtained directly from Nozomi Networks' website or security portal. (2) Restrict administrative access to the Guardian and CMC update functionality to a minimal set of trusted personnel; implement multi-factor authentication for administrative accounts if not already in place. (3) Audit recent update activity logs to identify any unauthorized or suspicious update submissions. (4) If immediate patching is not possible, implement network-level controls to restrict access to the update management interface to trusted networks or jump hosts. (5) Monitor for unexpected process execution or command activity on Guardian and CMC appliances post-update. Longer-term: validate that all future updates originate from official Nozomi Networks sources and consider implementing additional integrity verification mechanisms beyond signature validation.

Share

CVE-2024-13089 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy