NetAlertX 23.01.14 through 24.x before 24.10.12 allows unauthenticated command injection via settings update because function=savesettings lacks an authentication requirement, as exploited in the wild in May 2025. This is related to settings.php and util.php.
The `function=savesettings` function handled by `settings.php` and `util.php` files does not require any authentication. An attacker can send a crafted HTTP request to this endpoint, injecting malicious system commands into the settings parameters. The lack of access control mechanism (CWE-306 — Missing Authentication for Critical Function) makes the exploit trivial and possible to execute without any credentials.
An attacker gains the ability to remotely execute arbitrary system commands on the server with NetAlertX process privileges, which can lead to complete system takeover, data exfiltration, and violation of confidentiality, integrity, and availability.
NetAlertX should be immediately updated to version 24.10.12 or later. Until the patch is applied, it is recommended to restrict network access to the NetAlertX administrative interface only to trusted IP addresses (e.g., via firewall or network rules).
NetAlertX in versions from 23.01.14 to 24.x before 24.10.12
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HNetalertx
APPNetalertx23.01.14 – 24.10.12 (bez)
Related vulnerabilities
NetAlertX: Pominięcie uwierzytelnienia przez PHP magic hash (SHA-256)
NetAlertX — ominięcie uwierzytelnienia umożliwia zmianę ustawień (CVSS 10.0)
NetAlertX 24.7.18 before 24.10.12 allows unauthenticated file reading because an HTTP client can ignore a redi...