Back to KEVs

CVE-2024-46506

NetAlertX 23.01.14 through 24.x before 24.10.12 allows unauthenticated command injection via settings update because function=savesettings lacks an...

Basic Information

CVE State: PUBLISHED
Reserved Date: September 11, 2024
Published Date: May 13, 2025
Last Updated: May 13, 2025
Vendor: NetAlertX
Product: NetAlertX
Description: NetAlertX 23.01.14 through 24.x before 24.10.12 allows unauthenticated command injection via settings update because function=savesettings lacks an authentication requirement, as exploited in the wild in May 2025. This is related to settings.php and util.php.
Tags

CVSS Scores

CVSS v3.1

10.0 - CRITICAL

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS Score

Score: 47.74% (Percentile: 97.55%) as of 2025-06-11

SSVC Information

Exploitation: poc
Automatable: Yes
Technical Impact: total

Exploit Status

Exploited in the Wild: Yes (2025-05-13 16:40:27 UTC) Source

References

https://rhinosecuritylabs.com/research/cve-2024-46506-rce-in-netalertx/

Known Exploited Vulnerability Information

Source	Added Date
CVE	2025-05-13 16:40:20 UTC

Scanner Integrations

Scanner	URL	Date Detected
Metasploit	https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/netalertx_rce_cve_2024_46506.rb	2025-06-09 13:48:34 UTC

Timeline

CVE ID Reserved

September 11, 2024
CVE Published to Public

May 13, 2025
Added to KEVIntel

May 13, 2025
Detected by Metasploit

June 09, 2025