CVE-2024-44623

CRITICAL

TuomoKu SPx-GC <= 1.3.0 child_process.js - Remote Code Execution

Title source: manual

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-44623. PoCs published by merbinr.

AI-analyzed exploit summary This repository provides a detailed technical analysis of CVE-2024-44623, a blind RCE vulnerability in SPX-GC <= 1.3.0v due to unsanitized user input passed to the child_process.exec function. It includes root cause analysis, references to vulnerable code, and fix details.

Description

An issue in TuomoKu SPx-GC v.1.3.0 and before allows a remote attacker to execute arbitrary code via the child_process.js function.

Exploits (1)

nomisec WRITEUP

by merbinr · poc

https://github.com/merbinr/CVE-2024-44623

View Code ZIP pw:eip

This repository provides a detailed technical analysis of CVE-2024-44623, a blind RCE vulnerability in SPX-GC <= 1.3.0v due to unsanitized user input passed to the child_process.exec function. It includes root cause analysis, references to vulnerable code, and fix details.

Classification

Writeup 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: SPX-GC <= 1.3.0v

No auth needed

Prerequisites: Network access to the vulnerable SPX-GC instance

MITRE ATT&CK

T1202 - Indirect Command Execution

devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (3)

Core 3

Core References

Product

https://github.com/TuomoKu/SPX-GC

Product

https://github.com/TuomoKu/SPX-GC/blob/v.1.3.0/routes/routes-api.js#L39

Third Party Advisory

https://github.com/merbinr/CVE-2024-44623

Scores

CVSS v3 9.8

EPSS 0.0117

EPSS Percentile 63.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-94

Status published

Products (1)

spx/spx_graphics_controller < 1.3.0

Published Sep 16, 2024

Tracked Since Feb 18, 2026