The vulnerability is so simple that even a novice could exploit it.
The discovery of a serious zero-day vulnerability in Viasat satellite modems once again highlights the fragility of hidden components within critical infrastructures. Researchers from ONEKEY, using automated static binary analysis, uncovered a dangerous bug affecting the RM4100, RM4200, EM4100, RM5110, RM5111, RG1000, RG1100, EG1000, and EG1020 models.
The vulnerability, assigned the identifier CVE-2024-6198 and scored 7.7 on the CVSS scale, affects the SNORE web interface, which runs through lighttpd on TCP ports 3030 and 9882. The issue lies in the unsafe handling of HTTP requests within a CGI binary located at /usr/local/SNORE. Incorrect parsing of the REQUEST_METHOD and REQUEST_URI variables leads to a stack overflow due to insecure path parsing through the sscanf function, allowing an attacker to gain control over critical system registers.
According to the research team, the exploit can be triggered by sending a specially crafted request, for example, to the address 192[.]168[.]100[.]1:9882/snore/blackboxes/, followed by 512 repeated characters. Despite protections such as a non-executable stack, successful exploitation is still possible using ROP (Return-Oriented Programming) techniques, which allow hijacking the code execution flow.
The vulnerable firmware versions include all versions below 3.8.0.4 for the RM4100, RM4200, and EM4100 models, and below 4.3.0.1 for the other devices. Viasat has released patches in updates 3.8.0.4 and 4.3.0.2, distributed via automatic OTA updates. Owners are advised to ensure their devices are connected to the network to receive the latest firmware versions and to verify the updates through the administrative panel.
The discovery of this major flaw was the result of routine firmware monitoring via the ONEKEY platform. According to the research team, this case highlights the necessity of using such tools to safeguard complex network environments and to enhance transparency in embedded software security.
Coordinated disclosure of the vulnerability began on May 15, 2024, and concluded on May 25, 2025, after a significant number of real-world devices had been updated. Despite some deadline extensions for patch deployment, the process was noted for effective collaboration between researchers and the company.
This incident further underscores the importance of early vulnerability detection within hidden layers of network infrastructure. Since satellite modems play a key role in maintaining communication, unpatched vulnerabilities can have extremely severe consequences. Timely updates and independent firmware audits are now essential requirements for maintaining security in today’s digital world.
