HIGH🇵🇱 Wersja polska

CVE-2024-39148

CVSS 8.1v3.1pub. 2025-12-01upd. 2025-12-23

The service wmp-agent of KerOS prior 5.12 does not properly validate so-called ‘magic URLs’ allowing an unauthenticated remote attacker to execute arbitrary OS commands as root when the service is reachable over network. Typically, the service is protected via local firewall.

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Kerlink Keros

    OS
    Kerlink
    5.0 – 5.12 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Firewall
CWE
References

Related vulnerabilities

CVE-2024-32384MEDIUM6.8ten sam produkt

Kerlink gateways running KerOS prior to version 5.10 expose their web interface exclusively over HTTP, without...

CVE-2024-32388MEDIUM5.3ten sam produkt

Due to a firewall misconfiguration, Kerlink devices running KerOS prior to 5.12 incorrectly accept specially c...