CVE-2024-44577 in RELY-PCIe
Summary
by MITRE • 09/11/2024
RELY-PCIe v22.2.1 to v23.1.0 was discovered to contain a command injection vulnerability via the time_date function.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 04/28/2025
The vulnerability identified as CVE-2024-44577 affects RELY-PCIe software versions between v22.2.1 and v23.1.0, representing a critical command injection flaw that can be exploited through the time_date function. This vulnerability resides within the software's handling of time and date parameters, where improper input validation and sanitization allows malicious actors to inject arbitrary commands that execute with the privileges of the affected application. The issue stems from insufficient parameter filtering and command construction practices that fail to properly escape or validate user-supplied data before incorporating it into system commands. Such command injection vulnerabilities fall under the CWE-77 category, specifically CWE-77: Command Injection, which is classified as a high-risk vulnerability due to its potential for remote code execution and system compromise.
The operational impact of this vulnerability extends beyond simple command execution, as it provides attackers with the ability to manipulate system time and date configurations which can serve as a foundation for more sophisticated attacks. When exploited, the vulnerability allows an attacker to execute arbitrary commands on the system, potentially leading to complete system compromise, data exfiltration, or disruption of services. The time_date function typically handles system time synchronization and configuration, making it a critical component that, when compromised, can affect system logging, authentication mechanisms, and overall system integrity. Attackers could leverage this vulnerability to establish persistent access, modify system configurations, or escalate privileges within the affected environment.
Security practitioners should implement immediate mitigations including updating to the latest version of RELY-PCIe software where the vulnerability has been addressed, applying input validation controls to all functions that process time and date parameters, and implementing network segmentation to limit access to systems running the vulnerable software. The vulnerability aligns with ATT&CK technique T1059.001 for Command and Scripting Interpreter and T1068 for Exploitation for Privilege Escalation, indicating that attackers may use this flaw as part of broader exploitation campaigns. Organizations should also conduct thorough vulnerability assessments to identify any systems running affected versions and implement monitoring for suspicious command execution patterns that could indicate exploitation attempts. The remediation process should include validating that all user inputs are properly sanitized and that the software follows secure coding practices to prevent similar vulnerabilities from occurring in future releases.