CVE-2024-39148

high

Description

The service wmp-agent of KerOS prior 5.12 does not properly validate so-called ‘magic URLs’ allowing an unauthenticated remote attacker to execute arbitrary OS commands as root when the service is reachable over network. Typically, the service is protected via local firewall.

References

https://www.bdosecurity.de/en-gb/advisories/cve-2024-39148

https://keros.docs.kerlink.com/security/security_advisories_kerOS5

Details

Source: Mitre, NVD

Published: 2025-12-01

Updated: 2025-12-23

Risk Information

CVSS v2

Base Score: 7.6

Vector: CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C

Severity: High

CVSS v3

Base Score: 8.1

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: High

EPSS

EPSS: 0.00112