High severityNVD Advisory· Published Mar 8, 2024· Updated Nov 1, 2024
CVE-2024-28754
CVE-2024-28754
Description
RaspAP (aka raspap-webgui) through 3.0.9 allows remote attackers to cause a persistent denial of service (bricking) via a crafted request.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
RaspAP through 3.0.9 allows unauthenticated remote attackers to brick the device via a crafted request due to missing authentication on AJAX endpoints.
Vulnerability
Overview
CVE-2024-28754 affects RaspAP (raspap-webgui) versions up to 3.0.9. The root cause is the absence of authentication checks on several AJAX endpoints, allowing unauthenticated HTTP requests to modify critical system configurations [1][2]. This oversight enables an attacker to send a specially crafted request that can permanently disable the device, a condition described as "bricking."
Exploitation
An attacker with network access to the RaspAP web interface can exploit this vulnerability without any prior authentication. By targeting unsecured AJAX endpoints, the attacker can alter network settings, firmware parameters, or other essential configurations, leading to a persistent denial of service [2][3]. The attack does not require any special privileges or user interaction.
Impact
Successful exploitation renders the Raspberry Pi or other Debian-based device running RaspAP completely inoperable. The device cannot recover without manual intervention, such as reflashing the SD card or performing a hardware reset. This represents a high-severity risk for users relying on RaspAP for wireless router functionality.
Mitigation
The vulnerability has been addressed in a subsequent commit (d0592b6) that adds authentication requirements to AJAX pages [4]. Users are strongly advised to update to the latest version of RaspAP immediately. No workarounds are available for unpatched installations.
References
- GitHub - RaspAP/raspap-webgui: The easiest, full-featured wireless router setup for Debian-based devices. Period.
- NVD - CVE-2024-28754
- Add authentication to ajax pages, thx @lts-rad by billz · Pull Request #1548 · RaspAP/raspap-webgui
- Merge pull request #1548 from RaspAP/sec/authenticate-ajax · RaspAP/raspap-webgui@d0592b6
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
billz/raspap-webguiPackagist | < 3.1.0 | 3.1.0 |
Affected products
2- RaspAP/raspap-webguidescription
Patches
1d0592b63de9aMerge pull request #1548 from RaspAP/sec/authenticate-ajax
22 files changed · +77 −32
ajax/adblock/update_blocklist.php+2 −1 modified@@ -2,6 +2,8 @@ require '../../includes/csrf.php'; require_once '../../includes/config.php'; +require_once '../../src/RaspAP/Auth/HTTPAuth.php'; +require_once '../../includes/authenticate.php'; if (isset($_POST['blocklist_id'])) { $blocklist_id = escapeshellcmd($_POST['blocklist_id']); @@ -50,4 +52,3 @@ $jsonData = ['return'=>2,'output'=>['Error getting data']]; echo json_encode($jsonData); } -
ajax/bandwidth/get_bandwidth_hourly.php+4 −1 modified@@ -1,6 +1,9 @@ -<?php +<?php require '../../includes/csrf.php'; +require_once '../../includes/config.php'; +require_once '../../src/RaspAP/Auth/HTTPAuth.php'; +require_once '../../includes/authenticate.php'; if (filter_input(INPUT_GET, 'tu') == 'h') {
ajax/bandwidth/get_bandwidth.php+5 −7 modified@@ -1,8 +1,9 @@ <?php require '../../includes/csrf.php'; - require_once '../../includes/config.php'; +require_once '../../src/RaspAP/Auth/HTTPAuth.php'; +require_once '../../includes/authenticate.php'; $interface = filter_input(INPUT_GET, 'inet', FILTER_SANITIZE_SPECIAL_CHARS); if (empty($interface)) { @@ -13,8 +14,7 @@ } else { exit('No network interfaces found.'); } -} - +} define('IFNAMSIZ', 16); if (strlen($interface) > IFNAMSIZ) { exit('Interface name too long.'); @@ -72,14 +72,12 @@ $datareceived = round($jsonData[$i]['rx'] / $dsu_factor, 0); if ($timeunits === 'm') { - echo '{ "date": "' , $dt->format('Y-m') , '", "rx": "' , $datareceived , + echo '{ "date": "' , $dt->format('Y-m') , '", "rx": "' , $datareceived , '", "tx": "' , $datasend , '" }'; } else { - echo '{ "date": "' , $dt->format('Y-m-d') , '", "rx": "' , $datareceived , + echo '{ "date": "' , $dt->format('Y-m-d') , '", "rx": "' , $datareceived , '", "tx": "' , $datasend , '" }'; } } echo ' ]'; - -
ajax/logging/clearlog.php+10 −3 modified@@ -2,12 +2,19 @@ require '../../includes/csrf.php'; require_once '../../includes/config.php'; +require_once '../../src/RaspAP/Auth/HTTPAuth.php'; +require_once '../../includes/authenticate.php'; require_once '../../includes/functions.php'; if (isset($_POST['logfile'])) { - $logfile = escapeshellcmd($_POST['logfile']); + $logfile = escapeshellarg($_POST['logfile']); + $valid = '/(\/var\/log|\/tmp)/'; - // truncate requested log file - exec("sudo truncate -s 0 $logfile", $return); + if (preg_match($valid, $logfile)) { + // truncate requested log file + exec("sudo truncate -s 0 $logfile", $return); + } else { + $return = 1; + } echo json_encode($return); }
ajax/networking/do_sys_reset.php+3 −2 modified@@ -1,6 +1,8 @@ <?php require_once '../../includes/config.php'; +require_once '../../src/RaspAP/Auth/HTTPAuth.php'; +require_once '../../includes/authenticate.php'; require_once '../../includes/session.php'; require_once '../../includes/functions.php'; @@ -16,7 +18,7 @@ array("src" => $path .'/090_wlan0.conf', "tmp" => "/tmp/dnsmasqdata", "dest" => RASPI_DNSMASQ_PREFIX.'wlan0.conf'), array("src" => $path .'/090_raspap.conf', "tmp" => "/tmp/dnsmasqdata", "dest" => RASPI_DNSMASQ_PREFIX.'raspap.conf'), ); - + foreach ($configs as $config) { try { $tmp = file_get_contents($config["src"]); @@ -32,4 +34,3 @@ } else { handleInvalidCSRFToken(); } -
ajax/networking/get_all_interfaces.php+3 −0 modified@@ -1,6 +1,9 @@ <?php require '../../includes/csrf.php'; +require_once '../../includes/config.php'; +require_once '../../src/RaspAP/Auth/HTTPAuth.php'; +require_once '../../includes/authenticate.php'; exec("ls /sys/class/net | grep -v lo", $interfaces); echo json_encode($interfaces);
ajax/networking/get_channel.php+2 −0 modified@@ -2,6 +2,8 @@ require '../../includes/csrf.php'; require_once '../../includes/config.php'; +require_once '../../src/RaspAP/Auth/HTTPAuth.php'; +require_once '../../includes/authenticate.php'; exec('cat '. RASPI_HOSTAPD_CONFIG, $hostapdconfig); $arrConfig = array();
ajax/networking/get_frequencies.php+4 −2 modified@@ -1,7 +1,10 @@ <?php require '../../includes/csrf.php'; -require '../../src/RaspAP/Parsers/IwParser.php'; +require_once '../../includes/config.php'; +require_once '../../src/RaspAP/Auth/HTTPAuth.php'; +require_once '../../src/RaspAP/Parsers/IwParser.php'; +require_once '../../includes/authenticate.php'; if (isset($_POST['interface'])) { @@ -11,4 +14,3 @@ echo json_encode($supportedFrequencies); } -
ajax/networking/get_ip_summary.php+3 −0 modified@@ -3,6 +3,9 @@ require '../../includes/csrf.php'; require_once '../../includes/functions.php'; +require_once '../../includes/config.php'; +require_once '../../src/RaspAP/Auth/HTTPAuth.php'; +require_once '../../includes/authenticate.php'; if (isset($_POST['interface'])) { $int = preg_replace('/[^a-z0-9]/', '', $_POST['interface']);
ajax/networking/get_netcfg.php+3 −1 modified@@ -2,8 +2,10 @@ require '../../includes/csrf.php'; require_once '../../includes/config.php'; +require_once '../../src/RaspAP/Auth/HTTPAuth.php'; +require_once '../../includes/authenticate.php'; -$interface = $_GET['iface']; +$interface = $_POST['iface']; if (isset($interface)) { // fetch dnsmasq.conf settings for interface
ajax/networking/get_nl80211_band.php+8 −2 modified@@ -2,12 +2,19 @@ require '../../includes/csrf.php'; require_once '../../includes/config.php'; +require_once '../../src/RaspAP/Auth/HTTPAuth.php'; +require_once '../../includes/authenticate.php'; require_once '../../includes/locale.php'; if (isset($_POST['interface'])) { define( 'NL80211_BAND_24GHZ', 0x1 ); define( 'NL80211_BAND_5GHZ', 0x2 ); + + if(!preg_match('/^[a-zA-Z0-9]+$/', $_POST['interface'])) { + exit('Invalid interface name.'); + } + $iface = escapeshellcmd($_POST['interface']); $flags = 0; @@ -17,7 +24,7 @@ // get frequencies supported by device exec('iw '.$phy.' info | sed -rn "s/^.*\*\s([0-9]{4})\sMHz.*/\1/p"', $frequencies); - + if (count(preg_grep('/^24[0-9]{2}/i', $frequencies)) >0) { $flags += NL80211_BAND_24GHZ; } @@ -40,4 +47,3 @@ } echo json_encode($msg); } -
ajax/networking/get_wgcfg.php+2 −1 modified@@ -2,8 +2,9 @@ require '../../includes/csrf.php'; require_once '../../includes/config.php'; +require_once '../../src/RaspAP/Auth/HTTPAuth.php'; +require_once '../../includes/authenticate.php'; // fetch wg client.conf exec('sudo cat '. RASPI_WIREGUARD_PATH.'client.conf', $return); echo implode(PHP_EOL,$return); -
ajax/networking/get_wgkey.php+4 −2 modified@@ -2,17 +2,19 @@ require '../../includes/csrf.php'; require_once '../../includes/config.php'; +require_once '../../src/RaspAP/Auth/HTTPAuth.php'; +require_once '../../includes/authenticate.php'; $entity = escapeshellcmd($_POST['entity']); if (isset($entity)) { - + // generate public/private key pairs for entity $pubkey = RASPI_WIREGUARD_PATH.$entity.'-public.key'; $privkey = RASPI_WIREGUARD_PATH.$entity.'-private.key'; $pubkey_tmp = '/tmp/'.$entity.'-public.key'; $privkey_tmp = '/tmp/'.$entity.'-private.key'; - + exec("sudo wg genkey | tee $privkey_tmp | wg pubkey > $pubkey_tmp", $return); $wgdata['pubkey'] = str_replace("\n",'',file_get_contents($pubkey_tmp)); exec("sudo mv $privkey_tmp $privkey", $return);
ajax/networking/wifi_stations.php+3 −1 modified@@ -2,6 +2,8 @@ require '../../includes/csrf.php'; require_once '../../includes/config.php'; +require_once '../../src/RaspAP/Auth/HTTPAuth.php'; +require_once '../../includes/authenticate.php'; require_once '../../includes/defaults.php'; require_once '../../includes/functions.php'; require_once '../../includes/wifi_functions.php'; @@ -14,7 +16,7 @@ nearbyWifiStations($networks, !isset($_REQUEST["refresh"])); connectedWifiStations($networks); sortNetworksByRSSI($networks); -foreach ($networks as $ssid => $network) $networks[$ssid]["ssidutf8"] = ssid2utf8( $ssid ); +foreach ($networks as $ssid => $network) $networks[$ssid]["ssidutf8"] = ssid2utf8( $ssid ); $connected = array_filter($networks, function($n) { return $n['connected']; } ); $known = array_filter($networks, function($n) { return !$n['connected'] && $n['configured']; } );
ajax/openvpn/activate_ovpncfg.php+2 −1 modified@@ -2,6 +2,8 @@ require '../../includes/csrf.php'; require_once '../../includes/config.php'; +require_once '../../src/RaspAP/Auth/HTTPAuth.php'; +require_once '../../includes/authenticate.php'; require_once '../../includes/functions.php'; if (isset($_POST['cfg_id'])) { @@ -24,4 +26,3 @@ echo json_encode($return); } -
ajax/openvpn/del_ovpncfg.php+2 −1 modified@@ -2,6 +2,8 @@ require '../../includes/csrf.php'; require_once '../../includes/config.php'; +require_once '../../src/RaspAP/Auth/HTTPAuth.php'; +require_once '../../includes/authenticate.php'; require_once '../../includes/functions.php'; if (isset($_POST['cfg_id'])) { @@ -11,4 +13,3 @@ $jsonData = ['return'=>$return]; echo json_encode($jsonData); } -
ajax/system/sys_actions.php+3 −1 modified@@ -1,6 +1,9 @@ <?php require '../../includes/csrf.php'; +require_once '../../includes/config.php'; +require_once '../../src/RaspAP/Auth/HTTPAuth.php'; +require_once '../../includes/authenticate.php'; $action = escapeshellcmd($_POST['a']); @@ -18,4 +21,3 @@ } echo json_encode($response); } -
ajax/system/sys_debug.php+2 −1 modified@@ -2,6 +2,8 @@ require '../../includes/csrf.php'; require_once '../../includes/config.php'; +require_once '../../src/RaspAP/Auth/HTTPAuth.php'; +require_once '../../includes/authenticate.php'; if (isset($_POST['csrf_token'])) { if (csrfValidateRequest() && !CSRFValidate()) { @@ -20,4 +22,3 @@ } else { handleInvalidCSRFToken(); } -
ajax/system/sys_get_logfile.php+3 −2 modified@@ -1,7 +1,9 @@ -<?php +<?php require '../../includes/csrf.php'; require_once '../../includes/config.php'; +require_once '../../src/RaspAP/Auth/HTTPAuth.php'; +require_once '../../includes/authenticate.php'; $tempDir = sys_get_temp_dir(); $filePath = $tempDir . DIRECTORY_SEPARATOR . RASPI_DEBUG_LOG; @@ -19,4 +21,3 @@ header('Location: '.'/system_info'); exit(); } -
ajax/system/sys_perform_update.php+3 −1 modified@@ -1,6 +1,9 @@ <?php require '../../includes/csrf.php'; +require_once '../../includes/config.php'; +require_once '../../src/RaspAP/Auth/HTTPAuth.php'; +require_once '../../includes/authenticate.php'; if (isset($_POST['csrf_token'])) { if (csrfValidateRequest() && !CSRFValidate()) { @@ -18,4 +21,3 @@ } else { handleInvalidCSRFToken(); } -
ajax/system/sys_read_logfile.php+4 −1 modified@@ -1,5 +1,9 @@ <?php +require_once '../../includes/config.php'; +require_once '../../src/RaspAP/Auth/HTTPAuth.php'; +require_once '../../includes/authenticate.php'; + $logFile = '/tmp/raspap_install.log'; $searchStrings = [ 'Configure update' => 1, @@ -40,4 +44,3 @@ } else { echo json_encode("File does not exist: $logFile"); } -
app/js/custom.js+2 −1 modified@@ -216,7 +216,8 @@ Option toggles are set dynamically depending on the loaded configuration */ function loadInterfaceDHCPSelect() { var strInterface = $('#cbxdhcpiface').val(); - $.get('ajax/networking/get_netcfg.php?iface='+strInterface,function(data){ + var csrfToken = $('meta[name=csrf_token]').attr('content'); + $.post('ajax/networking/get_netcfg.php', {'iface' : strInterface, 'csrf_token': csrfToken}, function(data){ jsonData = JSON.parse(data); $('#dhcp-iface')[0].checked = jsonData.DHCPEnabled; $('#txtipaddress').val(jsonData.StaticIP);
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-vc9f-mgxr-h32rghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-28754ghsaADVISORY
- dustri.org/b/carrot-disclosure.htmlghsaWEB
- github.com/RaspAP/raspap-webgui/commit/d0592b63de9a5da587ab3a51e03e7e566c7f3602ghsaWEB
- github.com/RaspAP/raspap-webgui/pull/1546ghsaWEB
- github.com/RaspAP/raspap-webgui/pull/1548ghsaWEB
News mentions
0No linked articles in our index yet.