Viasat Modems Zero-Day Vulnerabilities Let Attackers Execute Remote Code

A severe zero-day vulnerability has been uncovered in multiple Viasat satellite modem models, including the RM4100, RM4200, EM4100, RM5110, RM5111, RG1000, RG1100, EG1000, and EG1020.

Identified by ONEKEY Research Lab through automated binary static analysis, the flaw, tracked as CVE-2024-6198, affects the “SNORE” web interface running on lighttpd over TCP ports 3030 and 9882.

With a CVSS score of 7.7 (High), this vulnerability enables unauthenticated remote code execution (RCE) by exploiting a stack buffer overflow due to insecure path parsing in the index.cgi binary.

– Advertisement –

This critical issue, discovered on the day a customer enabled binary zero-day analysis on ONEKEY’s platform, exposes devices to potential compromise over LAN or OTA interfaces, posing significant risks to sensitive infrastructures relying on these modems.

Technical Details and Exploitation Path

The vulnerability stems from flawed handling of HTTP requests within the SNORE interface’s CGI binary located at /usr/local/SNORE.

Specifically, environment variables REQUEST_METHOD and REQUEST_URI are processed unsafely during GET, POST, or DELETE requests.

An unsafe call to sscanf extracts URI components into a fixed-size buffer without proper bounds checking, allowing attackers to overflow the stack by crafting malicious requests, such as http://192.168.100.1:9882/snore/blackboxes/ followed by 512 repeated characters.

This overflow grants control over critical registers, including the program counter, enabling attackers to hijack execution flow.

Despite the binary’s non-executable stack hardening, exploitation remains feasible through return-oriented programming (ROP) chains, reusing existing code blocks to execute arbitrary code.

Affected firmware versions include those below 3.8.0.4 for RM4100, RM4200, and EM4100, and up to 4.3.0.1 for other models, with fixes deployed in versions 3.8.0.4 and 4.3.0.2, respectively.

Viasat has rolled out automated over-the-air updates, and users are urged to ensure their devices are online to receive patches and to verify the updated firmware version via the administrative interface.

This discovery underscores the systemic risks posed by opaque firmware in critical devices and the power of proactive binary analysis in uncovering latent threats.

According to the Report, ONEKEY’s automated firmware inspection, which flagged the issue during routine daily monitoring, highlights the necessity of such tools for OEMs and integrators to safeguard connected environments.

The coordinated disclosure process with Viasat, initiated on May 15, 2024, showcased effective communication despite multiple deadline extensions, culminating in public disclosure on May 25, 2025, after ensuring a significant ratio of devices in the field were patched.

Nevertheless, the incident emphasizes the urgent need for transparency in embedded software to mitigate risks in modern infrastructures.

As satellite modems underpin vital communication networks, such vulnerabilities could have far-reaching consequences if left unaddressed, making diligent firmware scrutiny and timely updates non-negotiable for security.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!