A critical security flaw (CVE-2024-6198) in widely deployed Viasat satellite modems allows unauthenticated attackers to execute arbitrary code on affected devices via a stack buffer overflow in the “SNORE” web interface.
The vulnerability, rated 7.7 (High) on the CVSS v4 scale, impacts multiple modem models, including RM4100, RM4200, EM4100, RM5110, RM5111, RG1000, RG1100, EG1000, and EG1020.
Discovered through automated firmware analysis by ONEKEY Research Lab, the flaw highlights systemic risks in opaque embedded software underpinning critical infrastructure.
Critical Vulnerability in Modem SNORE Interface
The modems expose a lightweight web service (lighttpd) on TCP ports 3030 and 9882 to handle administrative functions via the SNORE interface.
At the core of the flaw is the index.cgi binary located at /usr/local/SNORE, which improperly parses HTTP request paths.
When processing GET, POST, or DELETE requests, the CGI script uses an unsafe sscanf call to extract parameters from the REQUEST_URI environment variable without validating input length.
An attacker can trigger a stack buffer overflow by sending a malicious URI like http://192.168.100.1:9882/snore/blackboxes/AAAAAAAA…[512 bytes].
This overflows a fixed-size path buffer, overwriting critical stack frames and hijacking the program counter register.
Despite non-executable stack protections, attackers bypass mitigations via return-oriented programming (ROP) chains, reusing code snippets from the binary itself to achieve arbitrary command execution.
With a CVSS:4.0 vector of AV:A/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H, the vulnerability permits lateral network attacks by authenticated or unauthenticated LAN users.
Successful exploitation grants full control over modem operations, potentially enabling traffic interception, credential harvesting, or deployment of persistent malware in environments reliant on satellite communications.
Risk FactorsDetailsAffected ProductsViasat modems: RM4100, RM4200, EM4100 (firmware Start Now for Free.
