LiveActive security incident?Get immediate response
CVE Record

CVE-2024-28085: wall in util-linux through 2.40, often installed with setgid tty permissions, allows escape sequences to be...

wall in util-linux through 2.40, often installed with setgid tty permissions, allows escape sequences to be sent to other users' terminals through argv. (Specifically, escape sequences received from stdin are blocked, but escape sequences received from argv are not blocked.) There may be plausible scenarios where this leads to account takeover.

LowCVSS 3.3Not KEV-listedUpdated
Glexia's TakeAutomated analysislow

Security readout for executives and security teams

Plain-English summary

CVE-2024-28085 is a local terminal-output issue in util-linux wall. A logged-in user may send terminal escape sequences to other users through command arguments when wall has setgid tty permissions. Business impact is usually limited, but shared Linux systems deserve attention because misleading terminal output can support account takeover scenarios.

Executive priority

Handle through normal Linux patch management, with earlier attention for shared administrative hosts. This is not an internet-facing emergency based on the provided evidence, but it can matter where many users share terminals.

Technical view

util-linux wall through 2.40 filters escape sequences from stdin but not from argv. With local low-privilege access, an attacker can inject terminal control sequences into another user’s terminal. The CVSS score is 3.3 because it is local, low impact, and primarily affects integrity rather than confidentiality or availability.

Likely exposure

Exposure is most relevant on multi-user Linux systems where util-linux wall is installed and commonly setgid tty. Single-user servers or environments without interactive logged-in users have lower practical exposure.

Exploitation context

The source bundle includes public writeups and a proof-of-concept repository, but KEV is false and no cited source establishes active exploitation. Abuse requires local access and a target user with an interactive terminal session.

Researcher notes

The key weakness is inconsistent escape-sequence handling between stdin and argv in wall. Evidence supports local integrity impact and plausible account-takeover scenarios, but the bundle does not prove widespread exploitation or provide complete product-level affected CPE data.

Mitigation direction

  • Update util-linux using OS or vendor security packages.
  • Prioritize shared servers, jump boxes, lab hosts, and multi-user Linux systems.
  • Check vendor advisories before changing wall permissions or package behavior.
  • Restrict unnecessary local shell access on shared systems.
  • Review terminal broadcast policies where wall is not operationally required.

Validation and detection

  • Inventory systems with util-linux wall installed.
  • Check util-linux package versions against vendor security advisories.
  • Verify whether wall has setgid tty permissions on shared hosts.
  • Confirm patched packages are deployed through configuration management.
  • Review local-user access on systems with interactive sessions.
Prepared
Confidence
high
Sources
8

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · low confidence lookup

CWE-150: Exact CWE lookup

Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2024-28085 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Low
CVSS
3.3 (3.1)
Known Exploited
No
Published

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1CVSS vectors
3Timeline events
3ADP providers
10Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: pocAutomatable: noTechnical Impact: partial

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
3.3CVSS 3.1LowCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N1.81.4CISA-ADP

Vulnerability scoring details

Base CVSS 3.1 score

3.3Low
CVSS 3.1 vector shape for CVE-2024-28085Attack VectorAttack ComplexityPrivileges RequiredUser InteractionScopeConfidentiality ImpactIntegrity ImpactAvailability Impact

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Privileges Required
NoneLowHigh
User Interaction
NoneRequired
Scope
ChangedUnchanged
Confidentiality Impact
HighLowNone
Integrity Impact
HighLowNone
Availability Impact
HighLowNone

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CVECVE Program Container
CISA-ADPCISA ADP Vulnrichment
cvssV3_1other:ssvc
siemens-SADPADP container
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
n/an/an/aListed
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-150 · source CWE mapping

Improper Neutralization of Escape, Meta, or Control Sequences

Improper Neutralization of Escape, Meta, or Control Sequences represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.