CVE-2024-27177
Published: 14 June 2024
Summary
CVE-2024-27177 is a high-severity Path Traversal (CWE-22) vulnerability in Toshibatec (inferred from references). Its CVSS base score is 7.2 (High).
Operationally, ranked in the top 9.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2024-27177 is a path traversal vulnerability (CWE-22) that permits an attacker to overwrite arbitrary files by supplying a falsified package name variable. The flaw affects specific Toshiba Tec products and models; the vendor has published affected version details in its security advisory. The reported CVSS 7.2 score reflects a composite impact that can only be realized when the issue is chained with other vulnerabilities, so the standalone severity is lower.
An authenticated attacker with network access and high privileges can exploit the flaw to achieve remote code execution through targeted file overwrites. Because the vulnerability is difficult to trigger in isolation, successful exploitation requires additional weaknesses in the same environment.
Toshiba Tec has released an advisory and PDF detailing the affected products along with recommended remediation steps; practitioners should consult the vendor’s contact point for coordinated disclosure information. The associated EPSS score has remained flat at 0.0594 with no material increase since publication, indicating limited observed exploitation interest to date.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-24418
Vulnerability details
An attacker can get Remote Code Execution by overwriting files. Overwriting files is enable by falsifying package name variable. This vulnerability can be executed in combination with other vulnerabilities and difficult to execute alone. So, the CVSS score for this…
more
vulnerability alone is lower than the score listed in the "Base Score" of this vulnerability. For detail on related other vulnerabilities, please ask to the below contact point. https://www.toshibatec.com/contacts/products/ As for the affected products/models/versions, see the reference URL.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.