CVE-2024-27178
Published: 14 June 2024
Summary
CVE-2024-27178 is a high-severity Path Traversal (CWE-22) vulnerability in Toshibatec (inferred from references). Its CVSS base score is 7.2 (High).
Operationally, ranked in the top 9.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2024-27178 is a path traversal vulnerability (CWE-22) affecting certain Toshiba Tec products. It allows an attacker to falsify a file name variable and overwrite arbitrary files on the system, which can be chained with other issues to achieve remote code execution. The vulnerability carries a CVSS 3.1 base score of 7.2 but is noted to be difficult to exploit in isolation, resulting in a lower effective score when assessed alone.
An authenticated attacker with high privileges can reach the flaw over the network and leverage it to overwrite files, potentially leading to code execution when combined with additional vulnerabilities. The attack requires no user interaction and impacts confidentiality, integrity, and availability.
Vendor advisories from Toshiba Tec and coordinated disclosures on JVN and Full Disclosure lists direct users to the affected product list and remediation details published at toshibatec.com, including firmware or software updates that address the file-handling issue.
EPSS for the CVE has remained flat at a peak of 0.0594 with no material increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-24419
Vulnerability details
An attacker can get Remote Code Execution by overwriting files. Overwriting files is enable by falsifying file name variable. This vulnerability can be executed in combination with other vulnerabilities and difficult to execute alone. So, the CVSS score for this…
more
vulnerability alone is lower than the score listed in the "Base Score" of this vulnerability. For detail on related other vulnerabilities, please ask to the below contact point. https://www.toshibatec.com/contacts/products/ As for the affected products/models/versions, see the reference URL.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.