CVE-2024-47407

CRITICAL

mySCADA myPRO Manager Unauthenticated Command Injection (CVE-2024-47407)

Title source: metasploit

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-47407. PoCs published by Michael Heinzl, including Metasploit module exploits/windows/scada/mypro_mgr_cmd.

AI-analyzed exploit summary This Metasploit module exploits an unauthenticated command injection vulnerability in mySCADA myPRO Manager <= v1.2. It sends a crafted POST request to the 'get' endpoint with a malicious 'email' parameter to execute arbitrary commands in the context of the myscada9 administrative user.

Description

A parameter within a command does not properly validate input within myPRO Manager which could be exploited by an unauthenticated remote attacker to inject arbitrary operating system commands.

Exploits (1)

metasploit WORKING POC EXCELLENT

by Michael Heinzl · rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/scada/mypro_mgr_cmd.rb

View Code ZIP pw:eip

This Metasploit module exploits an unauthenticated command injection vulnerability in mySCADA myPRO Manager <= v1.2. It sends a crafted POST request to the 'get' endpoint with a malicious 'email' parameter to execute arbitrary commands in the context of the myscada9 administrative user.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: mySCADA myPRO Manager <= v1.2

No auth needed

Prerequisites: Network access to the target's web interface on port 34022

MITRE ATT&CK

T1203 - Exploitation for Client Execution T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1

Core References

Third Party Advisory, US Government Resource

https://www.cisa.gov/news-events/ics-advisories/icsa-24-326-07

Scores

CVSS v3 10.0

EPSS 0.6563

EPSS Percentile 99.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-78

Status published

Products (2)

mySCADA/myPRO Manager < 1.3

mySCADA/myPRO Runtime < 9.2.1

Published Nov 22, 2024

Tracked Since Feb 18, 2026