CVE-2024-29859 is a critical security vulnerability identified in the Malware Information Sharing Platform (MISP) before version 2.4.187. The issue resides in the add_misp_export function located in the app/Controller/EventsController.php file, where the application does not properly validate or restrict file uploads. This improper validation corresponds to CWE-434 (Unrestricted Upload of File with Dangerous Type). Because the vulnerability allows unauthenticated remote attackers to upload arbitrary files, it can be exploited to execute malicious code on the server, leading to full compromise of the MISP instance. The vulnerability has a CVSS v3.1 base score of 9.8, reflecting its critical nature with attack vector as network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and impacts on confidentiality, integrity, and availability all rated high (C:H/I:H/A:H). Although no public exploits have been reported yet, the vulnerability's characteristics make it highly exploitable. MISP is widely used by cybersecurity teams, CERTs, and governmental organizations for sharing threat intelligence, so exploitation could severely disrupt threat sharing and expose sensitive intelligence data. The lack of proper file upload validation means attackers can upload web shells or other malicious payloads, potentially gaining remote code execution and persistent access to the system.

The impact of CVE-2024-29859 is severe for organizations relying on MISP for threat intelligence sharing. Successful exploitation can lead to unauthorized remote code execution, allowing attackers to take full control of the MISP server. This compromises the confidentiality of sensitive threat intelligence data, undermines the integrity of shared information, and can cause denial of service or data destruction, affecting availability. Since MISP often contains critical and sensitive cybersecurity data, its compromise can cascade into broader organizational security failures, including exposure of internal threat detection capabilities and intelligence sources. Furthermore, attackers could use the compromised MISP instance as a pivot point for lateral movement within the victim's network. The vulnerability requires no authentication or user interaction, increasing the likelihood of automated exploitation attempts. The absence of known exploits currently provides a window for mitigation, but the critical severity demands immediate attention to prevent potential widespread abuse.

To mitigate CVE-2024-29859, organizations should immediately upgrade MISP to version 2.4.187 or later, where the vulnerability is patched. If upgrading is not immediately possible, implement strict network-level access controls to restrict access to the MISP web interface to trusted IP addresses only. Employ web application firewalls (WAFs) with rules to detect and block suspicious file upload attempts targeting the add_misp_export endpoint. Conduct thorough audits of existing uploaded files to detect any unauthorized or malicious content. Disable or restrict file upload functionality if not required for operational needs. Monitor MISP server logs for unusual activity, especially unexpected POST requests to the vulnerable controller. Additionally, enforce secure coding practices and input validation for any custom MISP extensions or integrations. Regularly back up MISP data and configurations to enable recovery in case of compromise. Finally, maintain an incident response plan tailored to MISP compromise scenarios to quickly contain and remediate any exploitation.