CVE-2024-47407

CRITICAL

mySCADA myPRO Manager Unauthenticated Command Injection (CVE-2024-47407)

Title source: metasploit

Description

A parameter within a command does not properly validate input within myPRO Manager which could be exploited by an unauthenticated remote attacker to inject arbitrary operating system commands.

Exploits (1)

metasploit WORKING POC EXCELLENT

by Michael Heinzl · rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/scada/mypro_mgr_cmd.rb

View Code ZIP pw:eip

References (1)

[Third Party Advisory, US Government Resource] https://www.cisa.gov/news-events/ics-advisories/icsa-24-326-07

Scores

CVSS v3 10.0

EPSS 0.6894

EPSS Percentile 98.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Details

CWE

CWE-78

Status published

Products (2)

mySCADA/myPRO Manager < 1.3

mySCADA/myPRO Runtime < 9.2.1

Published Nov 22, 2024

Tracked Since Feb 18, 2026