Cyber Resilience

CVE-2024-38292

Critical

Published: 27 February 2025

Published
27 February 2025
Modified
11 July 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0049 65.9th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-38292 is a critical-severity Path Traversal (CWE-22) vulnerability in Extremenetworks Xiq-Se. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 34.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2024-38292 is a path traversal vulnerability (CWE-22) affecting Extreme Networks XIQ-SE versions before 24.2.11. The issue stems from a missing access control check, which enables attackers to traverse directories and potentially escalate privileges. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its high impact on confidentiality, integrity, and availability.

An unauthenticated remote attacker with network access can exploit this vulnerability with low attack complexity and no user interaction. Exploitation allows traversal of intended file paths, leading to privilege escalation and potential unauthorized access to sensitive data or system controls.

Extreme Networks security advisory SA-2024-104 addresses this issue, recommending an upgrade to XIQ-SE version 24.2.11 or later as the primary mitigation. Additional details are available at https://community.extremenetworks.com/t5/security-advisories-formerly/sa-2024-104-xiq-se-path-traversal-privilege-escalation-cve-2024/ba-p/116362.

EU & UK References

Vulnerability details

In Extreme Networks XIQ-SE before 24.2.11, due to a missing access control check, a path traversal is possible, which may lead to privilege escalation.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Path traversal with missing auth enables remote exploitation of public-facing app (T1190) and direct privilege escalation (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-38291Same product: Extremenetworks Xiq-Se
CVE-2025-62630Shared CWE-22
CVE-2025-60786Shared CWE-22
CVE-2025-27590Shared CWE-22
CVE-2025-12422Shared CWE-22
CVE-2026-42520Shared CWE-22
CVE-2026-32727Shared CWE-22
CVE-2026-40258Shared CWE-22
CVE-2025-41757Shared CWE-22
CVE-2026-4858Shared CWE-22

Affected Assets

extremenetworks
xiq-se
≤ 24.2.11

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations for access to system resources, directly addressing the missing access control check that enables path traversal and privilege escalation in XIQ-SE.

prevent

Validates information inputs such as file paths to block traversal sequences exploited by unauthenticated remote attackers.

prevent

Limits privileges to minimize the impact of escalation resulting from successful path traversal exploitation.

References