{"uuid": "2adf7552-47cf-4555-af85-af481fbfa04f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "name": "Viasat Modems Zero-Day Vulnerabilities Let Attackers Execute Remote Code", "description": "# Viasat Modems Zero-Day Vulnerabilities Let Attackers Execute Remote Code\nA severe zero-day vulnerability has been uncovered in multiple Viasat satellite modem models, including the RM4100, RM4200, EM4100, RM5110, RM5111, RG1000, RG1100, EG1000, and EG1020.\n\nIdentified by ONEKEY Research Lab through automated binary static analysis, the flaw, tracked as CVE-2024-6198, affects the \u201cSNORE\u201d web interface running on lighttpd over TCP ports 3030 and 9882.\n\n![Zero-Day Vulnerabilities](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj2GkiTmtaGoi2B23qw1MoymbWw2UGG7c7VOkZvNhjMCaI1WiKZv2Wdackkh-9bT4WRaCt1toCi9mJRKzA_gxlcV08KPa1irn7h8m6fDJrkUqlvO7bZArl4d6GpQWXQ4mZgpntUvm67VMLYMAO23XFqAnx7yJm8SUiR3e8QsY37A310EZTmKNThGm5icNc/s16000/Excerpts%20of%20the%20lighttpd%20configuration.webp)\n\nExcerpts of the lighttpd configuration\n\nWith a CVSS score of 7.7 (High), this vulnerability enables unauthenticated remote code execution (RCE) by exploiting a stack [buffer overflow](https://gbhackers.com/spawnchimera-malware-exploits-ivanti-buffer-overflow-vulnerability/) due to insecure path parsing in the index.cgi binary.\n\n\\- Advertisement - [![Google News](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgtF4v5Ejzb9hD6O8UG7KJJziqO1ZP5zcUuKXNsyjb4g3FugqSKlBjBKmUNqGCjtqOq8kEb1lM6uZOBXm0lUCSTqXKyP4hz81q77L_k5I4RBy3afKYWuunQXOVo9zA4MFlD75XmYOjxT0sNIO9RR8UZPin1ZBVShx5Xj-5D9SyEp0QgEPoA6vxXp3Q4DInb/s16000/Don%E2%80%99t%20miss%20our%20latest%20stories%20on%20Google%20News%20(1).png)](https://news.google.com/publications/CAAqKAgKIiJDQklTRXdnTWFnOEtEV2RpYUdGamEyVnljeTVqYjIwb0FBUAE?hl=en-IN&gl=IN&ceid=IN%3Aen)\n\nThis critical issue, discovered on the day a customer enabled binary zero-day analysis on ONEKEY\u2019s platform, exposes devices to potential compromise over LAN or OTA interfaces, posing significant risks to sensitive infrastructures relying on these modems.\n\n**Technical Details and Exploitation Path**\n-------------------------------------------\n\nThe vulnerability stems from flawed handling of HTTP requests within the SNORE interface\u2019s CGI binary located at /usr/local/SNORE.\n\nSpecifically, environment variables REQUEST\\_METHOD and REQUEST\\_URI are processed unsafely during GET, POST, or DELETE requests.\n\n![Zero-Day Vulnerabilities](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgtha-6Oem1uhamtqFitj6AoI41lnCrGnq-5g5NN2wLMt5bFhjz9kPKaUK0mRbcltMfubEHyp164qm8W3FI_O2ZTT87c9BmaTqA9UTQsNDDzOQB9lqLKwd1BoffrWFOQ2CvlieEfuV3sg6SwIwe6nD0CTIZhrRzdBYfg_gXTN_emHcKnYXPueQO7KYfUzQ/s16000/Analysis%20Configuration.webp)\n\nAnalysis Configuration\n\nAn unsafe call to sscanf extracts URI components into a fixed-size buffer without proper bounds checking, allowing attackers to overflow the stack by crafting [malicious requests](https://gbhackers.com/xss-vulnerability-in-bing-com/), such as http://192.168.100.1:9882/snore/blackboxes/ followed by 512 repeated characters.\n\nThis overflow grants control over critical registers, including the program counter, enabling attackers to hijack execution flow.\n\nDespite the binary\u2019s non-executable stack hardening, exploitation remains feasible through return-oriented programming (ROP) chains, reusing existing code blocks to execute arbitrary code.\n\nAffected firmware versions include those below 3.8.0.4 for RM4100, RM4200, and EM4100, and up to 4.3.0.1 for other models, with fixes deployed in versions 3.8.0.4 and 4.3.0.2, respectively.\n\nViasat has rolled out automated over-the-air updates, and users are urged to ensure their devices are online to receive patches and to verify the updated firmware version via the administrative interface.\n\nThis discovery underscores the systemic risks posed by opaque firmware in critical devices and the power of proactive binary analysis in uncovering latent threats.\n\nAccording to the [Report](https://www.onekey.com/resource/security-advisory-rce-on-viasat-modems-cve-2024-6198), ONEKEY\u2019s automated firmware inspection, which flagged the issue during routine daily monitoring, highlights the necessity of such tools for OEMs and integrators to safeguard connected environments.\n\nThe coordinated disclosure process with Viasat, initiated on May 15, 2024, showcased effective communication despite multiple deadline extensions, culminating in public disclosure on May 25, 2025, after ensuring a significant ratio of devices in the field were patched.\n\nNevertheless, the incident emphasizes the urgent need for transparency in embedded software to mitigate risks in modern infrastructures.\n\nAs satellite modems underpin vital communication networks, such vulnerabilities could have far-reaching consequences if left unaddressed, making diligent firmware scrutiny and timely updates non-negotiable for security.\n\n****Find this News Interesting! Follow us on\u00a0[Google News](https://news.google.com/publications/CAAqKAgKIiJDQklTRXdnTWFnOEtEV2RpYUdGamEyVnljeTVqYjIwb0FBUAE?hl=en-IN&gl=IN&ceid=IN%3Aen),\u00a0[LinkedIn](https://www.linkedin.com/company/cybersecurity-news/), &\u00a0[X](https://x.com/The_Cyber_News)\u00a0to Get Instant Updates!****\n\n[![Aman Mishra](https://secure.gravatar.com/avatar/bd79cd6eb54cdb58da970ed5b4342e977a9830c1c9d8c1a9743c75cf320b54f8?s=500&d=mm&r=g)](https://gbhackers.com/author/aman-mishra/ \"Aman Mishra\")\n\n[Aman Mishra](https://gbhackers.com/author/aman-mishra/)\n\nAman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.", "creation_timestamp": "2025-05-07T13:26:15.723595+00:00", "timestamp": "2025-05-07T13:26:15.723595+00:00", "related_vulnerabilities": ["cve-2024-6198", "CVE-2024-6198"], "author": {"login": "adulau", "name": "Alexandre Dulaunoy", "uuid": "c933734a-9be8-4142-889e-26e95c752803"}}