CVE-2024-32258
Published: 23 April 2024
Summary
CVE-2024-32258 is a high-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 1.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2024-32258 is a path traversal vulnerability (CWE-22) in the network server component of FCEUX 2.7.0, an emulator for Nintendo Entertainment System titles. The flaw permits unauthenticated remote actors to supply a maliciously crafted ROM that traverses the filesystem and overwrites arbitrary files on the host running the server.
An attacker can reach the vulnerable server over the network without credentials or user interaction, achieving full control over file contents. The CVSS 3.1 score of 8.8 reflects the combination of network attack vector, low complexity, and high impact on confidentiality, integrity, and availability.
The current EPSS of 0.5575 matches its recorded peak and shows no material post-disclosure increase. Public references consist of GitHub issue reports and a proof-of-concept repository, but contain no vendor advisory or patch details.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-30076
Vulnerability details
The network server of fceux 2.7.0 has a path traversal vulnerability, allowing attackers to overwrite any files on the server without authentication by fake ROM.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.