Apache Guacamole 1.5.5/older: Console code exec in guacd
CVE-2024-35164 Published on July 2, 2025
Apache Guacamole: Improper input validation of console codes
The terminal emulator of Apache Guacamole 1.5.5 and older does not properly validate console codes received from servers via text-based protocols like SSH. If a malicious user has access to a text-based connection, a specially-crafted sequence of console codes could allow arbitrary code to be executed
with the privileges of the running guacd process.
Users are recommended to upgrade to version 1.6.0, which fixes this issue.
Vulnerability Analysis
CVE-2024-35164 is exploitable with network access, and requires small amount of user privileges. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality and integrity, and no impact on availability.
Timeline
Reported to security@guacamole.apache.org
Report acknowledged by project
Report confirmed by project 6 days later.
Weakness Type
What is an out-of-bounds array index Vulnerability?
The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array.
CVE-2024-35164 has been classified to as an out-of-bounds array index vulnerability or weakness.
Products Associated with CVE-2024-35164
stack.watch emails you whenever new vulnerabilities are published in Apache Guacamole or Oracle. Just hit a watch button to start following.
Affected Versions
Apache Software Foundation Apache Guacamole:- Version 0.8.0, <= 1.5.5 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.