Cyber Resilience

CVE-2024-27174

Critical

Published: 14 June 2024

Published
14 June 2024
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0624 91.1th percentile
Risk Priority 23 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-27174 is a critical-severity Path Traversal (CWE-22) vulnerability in Toshibatec (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 8.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2024-27174 is a path traversal vulnerability (CWE-22) in the Remote Command program of certain Toshiba Tec products. The flaw permits remote code execution when triggered, although the supplied description states that it is difficult to exploit in isolation and is typically combined with other vulnerabilities; the listed CVSS 3.1 score of 9.8 reflects the impact of such chaining rather than the standalone issue.

An unauthenticated attacker with network access can leverage the weakness to achieve remote code execution on affected devices. Because the vulnerability is not readily exploitable by itself, successful attacks require additional flaws to reach a usable code-execution primitive.

Vendor advisories published by Toshiba Tec and coordinated through JVN direct administrators to the affected product list and contact point at https://www.toshibatec.com for remediation details, including any available patches or configuration guidance. The EPSS score has remained flat at 0.0624 with no material increase after disclosure.

EU & UK References

Vulnerability details

Remote Command program allows an attacker to get Remote Code Execution. This vulnerability can be executed in combination with other vulnerabilities and difficult to execute alone. So, the CVSS score for this vulnerability alone is lower than the score listed…

more

in the "Base Score" of this vulnerability. For detail on related other vulnerabilities, please ask to the below contact point. https://www.toshibatec.com/contacts/products/ As for the affected products/models/versions, see the reference URL.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Toshibatec
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References