Authenticated Remote Code Execution (CVE‑2026‑24897) Discovered in Erugo 0.2.14 Web Application
What Happened — A public exploit (EDB‑ID 52529) demonstrates that authenticated users of Erugo ≤ 0.2.14 can upload a malicious PHP payload via the Tus file‑upload endpoint and achieve full remote code execution on the host container. The flaw is tracked as CVE‑2026‑24897.
Why It Matters for TPRM —
- RCE in a supply‑chain component can be leveraged to compromise downstream services that embed Erugo.
- The vulnerability is exploitable with valid credentials, highlighting the need for strong credential hygiene and multi‑factor authentication for third‑party SaaS tools.
- Containers running vulnerable versions may be exposed in CI/CD pipelines, increasing the attack surface of the broader ecosystem.
Who Is Affected —
- SaaS platforms, CI/CD pipelines, and any organization that deploys Erugo ≤ 0.2.14 (e.g., DevOps tooling, internal web portals).
- Industries that rely on custom web‑apps built on open‑source stacks (technology, finance, healthcare, etc.).
Recommended Actions —
- Inventory all instances of Erugo and verify version numbers.
- Upgrade to the latest patched release (≥ 0.2.15) or apply vendor‑provided mitigations.
- Enforce MFA and rotate credentials for all Erugo accounts.
- Review container runtime security controls (e.g., read‑only file systems, least‑privilege policies).
Technical Notes — The exploit abuses the Tus resumable upload protocol to create a PHP web‑shell (<?php system($_GET"cmd"]); ?>). After authenticating via /api/auth/login, the attacker sends a crafted POST to /files/ with base64‑encoded metadata, then triggers the shell via a GET request. No CVE‑specific patch was available at the time of disclosure. Source: [Exploit‑DB 52529