CVE-2026-24138 Overview
CVE-2026-24138 is an unauthenticated Server-Side Request Forgery (SSRF) vulnerability affecting FOG Project, a free open-source cloning/imaging/rescue suite/inventory management system. The vulnerability exists in getversion.php and allows remote attackers to access internal resources and local files on the server running FOG without requiring authentication.
Critical Impact
Unauthenticated attackers can exploit this SSRF vulnerability to access internal network resources, retrieve sensitive files from the FOG server, and potentially pivot to other systems within the network infrastructure.
Affected Products
- FOG Project versions 1.5.10.1754 and below
- FOG Project installations with getversion.php exposed to network access
- Systems where FOG is deployed with default configurations
Discovery Timeline
- 2026-01-23 - CVE CVE-2026-24138 published to NVD
- 2026-01-26 - Last updated in NVD database
Technical Details for CVE-2026-24138
Vulnerability Analysis
This vulnerability is classified under CWE-918 (Server-Side Request Forgery). The flaw resides in the getversion.php script which accepts a user-controlled URL parameter without proper validation or sanitization. When exploited, the server makes requests on behalf of the attacker to arbitrary destinations, effectively bypassing network access controls.
The vulnerability is particularly concerning because it can be triggered without authentication. When requests include the parameter newService=1, the SSRF attack surface becomes accessible even without a valid web session. This significantly lowers the barrier for exploitation, as attackers do not need to compromise user credentials or bypass authentication mechanisms first.
Root Cause
The root cause of this vulnerability is improper input validation in the getversion.php file. The script accepts a user-supplied URL parameter and uses it to make server-side HTTP requests without adequately restricting the target destinations. There is no whitelist enforcement for allowed domains or IP ranges, and internal network addresses are not blocked from being requested.
Attack Vector
The attack is network-based and requires no user interaction or privileges. An attacker can exploit this vulnerability by sending a crafted HTTP request to the vulnerable getversion.php endpoint with a malicious url parameter and newService=1. The FOG server then processes this request and fetches the attacker-specified resource.
This enables multiple attack scenarios including:
- Internal Network Reconnaissance: Probing internal services and infrastructure that would otherwise be inaccessible from external networks
- Local File Access: Using file:// protocol handlers to read sensitive files from the FOG server's filesystem
- Cloud Metadata Harvesting: Accessing cloud instance metadata endpoints (e.g., http://169.254.169.254/) to retrieve credentials and configuration data
- Port Scanning: Enumerating internal services by observing response timing and behavior
Detection Methods for CVE-2026-24138
Indicators of Compromise
- Unusual HTTP requests to getversion.php with url parameters containing internal IP addresses or file:// protocol
- Web server logs showing requests to getversion.php with newService=1 from external sources
- Outbound connections from the FOG server to unexpected internal services or metadata endpoints
- Access attempts to sensitive local files through the FOG application
Detection Strategies
- Deploy web application firewall (WAF) rules to detect and block requests containing SSRF attack patterns in URL parameters
- Monitor network traffic for outbound requests from the FOG server to internal RFC1918 addresses or localhost
- Implement alerting for requests to getversion.php that include newService=1 from untrusted sources
- Review web server access logs for anomalous patterns in the url parameter field
Monitoring Recommendations
- Enable detailed logging on the FOG web server to capture all parameters passed to getversion.php
- Configure network monitoring to detect connections from the FOG server to cloud metadata endpoints
- Set up SIEM rules to correlate access to getversion.php with subsequent unusual outbound traffic
- Implement file integrity monitoring on sensitive configuration files that could be targeted via SSRF
How to Mitigate CVE-2026-24138
Immediate Actions Required
- Restrict network access to getversion.php using firewall rules or web server configuration
- Place the FOG web interface behind a VPN or internal network segment not directly accessible from the internet
- Implement network segmentation to limit the FOG server's ability to reach sensitive internal resources
- Review and audit any systems that may have been accessed through SSRF exploitation
Patch Information
At the time of publication, no fixed release version is available for this vulnerability. Organizations should monitor the GitHub Security Advisory for updates on patch availability. Until an official fix is released, implementing the workarounds below is critical for reducing exposure.
Workarounds
- Block external access to getversion.php using web server access controls (Apache .htaccess or Nginx location blocks)
- Configure egress filtering on the FOG server to prevent outbound requests to internal network ranges
- Implement a reverse proxy with URL validation to filter requests containing suspicious patterns
- If the getversion.php functionality is not required, consider removing or renaming the file temporarily
# Apache configuration to restrict access to getversion.php
<Files "getversion.php">
Require ip 127.0.0.1
Require ip 10.0.0.0/8
</Files>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
