CVE-2024-37845 is a vulnerability identified in MangoOS versions before 5.2.0 that allows authenticated users with high privileges to execute arbitrary code remotely via the Active Process Command feature. This vulnerability is classified under CWE-94, which relates to code injection flaws. The vulnerability's CVSS v3.1 base score is 7.2, indicating a high severity level. The attack vector is network-based (AV:N), requiring low attack complexity (AC:L), but it mandates high privileges (PR:H) and no user interaction (UI:N). The scope remains unchanged (S:U), but the impact on confidentiality, integrity, and availability is high (C:H/I:H/A:H). Exploitation could allow an attacker to execute arbitrary commands or code on the affected system, potentially leading to full system compromise. No public exploit code is currently known, and no patches have been linked yet, though the vulnerability was reserved in June 2024 and published in October 2024. The Active Process Command feature likely processes user-supplied input insecurely, enabling code injection or command execution. Organizations running MangoOS in network devices or infrastructure should consider this a critical risk and prepare to deploy patches or mitigations promptly.

The impact of CVE-2024-37845 is significant for organizations using MangoOS in their network infrastructure. Successful exploitation can lead to complete system compromise, allowing attackers to execute arbitrary code with high privileges. This can result in data breaches, disruption of services, unauthorized access to sensitive information, and potential lateral movement within networks. The vulnerability affects confidentiality, integrity, and availability, making it a critical concern for environments where MangoOS devices manage critical network functions or sensitive data. Although exploitation requires authenticated access with high privileges, insider threats or compromised credentials could be leveraged to exploit this flaw. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits post-disclosure. Organizations worldwide relying on MangoOS for routing, switching, or other network services face potential operational and security risks if this vulnerability is not addressed promptly.

To mitigate CVE-2024-37845, organizations should take the following specific actions: 1) Immediately restrict access to the Active Process Command feature to only trusted administrators and limit network exposure of MangoOS management interfaces. 2) Enforce strong authentication and access controls to prevent unauthorized users from gaining high privilege access. 3) Monitor logs and network traffic for unusual commands or activity related to the Active Process Command feature. 4) Implement network segmentation to isolate MangoOS devices from less trusted network zones. 5) Prepare to apply the official MangoOS patch or upgrade to version 5.2.0 or later as soon as it becomes available. 6) Conduct internal audits of user privileges to ensure no unnecessary high privilege accounts exist. 7) Consider deploying intrusion detection/prevention systems with signatures tuned to detect exploitation attempts targeting this vulnerability. 8) Educate administrators about the risks associated with this vulnerability and the importance of safeguarding credentials and access paths.