CVE-2024-28297

CVE-2024-28297 is a SQL injection vulnerability in AzureSoft MyHorus, a telemonitoring solution. The flaw exists in version 4.3.5 due to insufficient input validation, allowing an attacker to inject SQL commands via unspecified vectors. While the official CVE description notes authentication is required, public analysis [2] indicates the vulnerability can be exploited without prior authentication.

Exploitation does not require privileged access, making the attack surface broad. An attacker can send crafted requests to the MyHorus application, likely through web interfaces or API endpoints. No special network position is needed; the attacker only needs network access to the affected service [2].

Successful exploitation enables an attacker to execute arbitrary SQL statements, leading to unauthorized data access, modification, or deletion. This could compromise sensitive security data and potentially escalate to remote code execution, depending on database configuration and underlying system.

As of the CVE publication date ([2024-08-02]), no official patch has been announced by AzureSoft [1]. Users are advised to apply general security measures such as network segmentation and input sanitization until a vendor update is available.