CVE-2024-21855
Description
An unauthenticated HTTP API in GoCast 1.1.3 allows arbitrary command execution via the monitor parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An unauthenticated HTTP API in GoCast 1.1.3 allows arbitrary command execution via the monitor parameter.
Vulnerability
A missing authentication vulnerability exists in the HTTP API of GoCast 1.1.3. The API allows registration and unregistration of apps without authentication. The monitor parameter in app registration executes arbitrary commands via bash -c. Affected version: GoCast 1.1.3. [1]
Exploitation
An attacker can send an unauthenticated HTTP request to the API to register a malicious app with a crafted monitor parameter. No authentication or user interaction is required. The attacker can abuse BGP functionality, create NAT firewall rules, and execute arbitrary commands. [1]
Impact
Successful exploitation leads to arbitrary command execution with the privileges of the GoCast service, potentially resulting in full system compromise. The CVSS score is 9.8 (Critical) with high impact on confidentiality, integrity, and availability. [1]
Mitigation
No official patch is available as of the advisory. Users should disable the HTTP API or put it behind authentication using a reverse proxy. The vendor should provide authentication configuration and disable the API by default. [1]
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
1News mentions
0No linked articles in our index yet.