CVE-2024-39148
CVE-2024-39148
Vexday Risk Score
21Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 8.1EPSS 0.5%KEV nãoPoC —Nuclei —Metasploit —Patch —
Lifecycle
01 Dec 2025Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
The service wmp-agent of KerOS prior 5.12 does not properly validate so-called ‘magic URLs’ allowing an unauthenticated remote attacker to execute arbitrary OS commands as root when the service is reachable over network. Typically, the service is protected via local firewall.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
n/a · n/a