CVE-2024-27173
Published: 14 June 2024
Summary
CVE-2024-27173 is a critical-severity Path Traversal (CWE-22) vulnerability in Toshibatec (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 2.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
The vulnerability CVE-2024-27173 is a path traversal flaw (CWE-22) in the Remote Command program of affected Toshiba Tec products. It permits an attacker to overwrite existing Python files that contain executable code, resulting in remote code execution on the target system.
An unauthenticated remote attacker can exploit the issue over the network to achieve arbitrary code execution and full system compromise. The advisory notes that the flaw is difficult to exploit in isolation and is typically used in combination with other vulnerabilities, which explains why the assigned CVSS 3.1 score of 9.8 exceeds the severity expected from this CVE alone.
Toshiba Tec has published an advisory and PDF listing affected products, models, and versions, along with contact information for further details on remediation. Security practitioners should review the vendor references for patch availability and specific mitigation guidance.
The EPSS score is currently 0.4542, matching its recorded peak.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-24414
Vulnerability details
Remote Command program allows an attacker to get Remote Code Execution by overwriting existing Python files containing executable code. This vulnerability can be executed in combination with other vulnerabilities and difficult to execute alone. So, the CVSS score for this…
more
vulnerability alone is lower than the score listed in the "Base Score" of this vulnerability. For detail on related other vulnerabilities, please ask to the below contact point. https://www.toshibatec.com/contacts/products/ As for the affected products/models/versions, see the reference URL.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.