A recent discovery has brought to light a serious vulnerability in the satellite modems of Viasat, highlighting the fragility of essential components in critical infrastructures. Researchers from Onekey utilized an automated static analysis of binary files and uncovered a dangerous bug in various Viasat modem models, including RM4100, RM4200, EM4100, RM5110, RM5111, RG1000, RG1100, EG1000, and EG1020 (source).
The vulnerability, identified as cve-2024-6198 and rated at 7.7 points on the CVSS scale, affects the Snore web interface operating through LightTPD at TCP ports 3030 and 9882. The issue lies in the insecure processing of HTTP checks in the CGI-panel located in /USR/Local/Snore. Improper handling of variables Request_Method and Request_uri triggers a stack overflow due to risky path analysis through the SSCANF function, allowing attackers to take control of critical system registers.
Researchers pointed out that the exploit can be executed with a specially crafted request, such as at “https://192[.]168[.]100[.]1:9882/Snore/BlackBoxes/”, followed by 512 repeating characters despite the presence of protection measures. Even with an incomplete stack, successful exploitation is achievable through the use of ROP (Return-Oriented Programming) techniques, enabling code flow interception.
Affected firmware versions include those below 3.8.0.4 for RM4100, RM4200, and EM4100 models, as well as version 4.3.0.1 for other devices. Viasat has released fixes in updates 3.8.0.4 and 4.3.0.2, distributed via automatic OTA renewal. Users are advised to ensure their devices are connected to the network to receive the latest firmware versions and verify them through the administrative panel.
The identification of this critical vulnerability was the outcome of routine firmware monitoring through the Onekey platform. The research team emphasized the necessity of utilizing such tools to safeguard complex network devices and enhance transparency in embedded software.
The coordinated disclosure of the vulnerability commenced on May 15, 2024, and concluded on May 25, 2025, following the update of a significant number of affected devices in use.