CVE ID: CVE-2024-39148 CVE Link: https://nvd.nist.gov/vuln/detail/CVE-2024-39148 Vendor: Kerlink Affected Product & Version: KerOS 5.0 through KerOS 5.11 Vulnerability Type: CWE-94: Improper Control of Generation of Code ('Code Injection') CVSS Base Score / CVSS Vector: BDO: 8.1 High / CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Author: Martin Weißbach Date: 2025-11-21 Description: The service wmp-agent of KerOS prior 5.12 does not properly validate so-called 'magic URLs' allowing an unauthenticated remote attacker to execute arbitrary OS commands as root when the service is reachable over network. Typically, the service is protected via local firewall. Remediation: Update to KerOS 5.12. References: - https://keros.docs.kerlink.com/security/security_advisories_kerOS5 - https://wikikerlink.fr/wirnet-productline/doku.php?id=wiki:resources:sw_history#keros_firmware_v5120_november_2025 Timeline: - 2024-06-11: Vulnerability reported to Kerlink - 2024-06-28: Kerlink provided feedback on our report; ongoing communication with Kerlink - 2025-08-05: Informed Kerlink our intention to release the CVEs - 2025-08-19: Sent updated vulnerability details to Kerlink - 2025-11-06: Vendor released an update - 2025-11-21: CVE published