CVE-2024-27176
Published: 14 June 2024
Summary
CVE-2024-27176 is a high-severity Path Traversal (CWE-22) vulnerability in Toshibatec (inferred from references). Its CVSS base score is 7.2 (High).
Operationally, ranked in the top 9.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2024-27176 is a path traversal vulnerability (CWE-22) that permits an attacker to overwrite arbitrary files by supplying a falsified session ID. The flaw resides in Toshiba Tec products; the vendor's security advisories list the specific affected models and firmware versions. When exploited in isolation the issue receives a CVSS 7.2 rating, but the description notes that reliable remote code execution requires chaining with additional vulnerabilities.
An authenticated attacker with administrative privileges and network access can leverage the file-write primitive to achieve code execution. Because the attack depends on other weaknesses, the standalone exploitability is considered low; the CVSS vector reflects the need for high privileges (PR:H) and the resulting confidentiality, integrity, and availability impact.
Toshiba Tec has published firmware updates and mitigation guidance on its product support pages and in the associated JVN advisory. The current EPSS score of 0.0594 shows no material increase since disclosure, indicating limited observed exploitation interest to date.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-24417
Vulnerability details
An attacker can get Remote Code Execution by overwriting files. Overwriting files is enable by falsifying session ID variable. This vulnerability can be executed in combination with other vulnerabilities and difficult to execute alone. So, the CVSS score for this…
more
vulnerability alone is lower than the score listed in the "Base Score" of this vulnerability. For detail on related other vulnerabilities, please ask to the below contact point. https://www.toshibatec.com/contacts/products/ As for the affected products/models/versions, see the reference URL.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.