Cyber Posture

CVE-2024-38292

Critical

Published: 27 February 2025

Published
27 February 2025
Modified
11 July 2025
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0049 65.5th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-38292 is a critical-severity Path Traversal (CWE-22) vulnerability in Extremenetworks Xiq-Se. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 34.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match
prevent

Enforces approved authorizations for access to system resources, directly addressing the missing access control check that enables path traversal and privilege escalation in XIQ-SE.

SI-10 Information Input Validation good match
prevent

Validates information inputs such as file paths to block traversal sequences exploited by unauthenticated remote attackers.

AC-6 Least Privilege partial match
prevent

Limits privileges to minimize the impact of escalation resulting from successful path traversal exploitation.

NVD Description

In Extreme Networks XIQ-SE before 24.2.11, due to a missing access control check, a path traversal is possible, which may lead to privilege escalation.

Deeper analysisAI

CVE-2024-38292 is a path traversal vulnerability (CWE-22) affecting Extreme Networks XIQ-SE versions before 24.2.11. The issue stems from a missing access control check, which enables attackers to traverse directories and potentially escalate privileges. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its high impact on confidentiality, integrity, and availability.

An unauthenticated remote attacker with network access can exploit this vulnerability with low attack complexity and no user interaction. Exploitation allows traversal of intended file paths, leading to privilege escalation and potential unauthorized access to sensitive data or system controls.

Extreme Networks security advisory SA-2024-104 addresses this issue, recommending an upgrade to XIQ-SE version 24.2.11 or later as the primary mitigation. Additional details are available at https://community.extremenetworks.com/t5/security-advisories-formerly/sa-2024-104-xiq-se-path-traversal-privilege-escalation-cve-2024/ba-p/116362.

Details

CWE(s)
CWE-22

Affected Products

extremenetworks
xiq-se
≤ 24.2.11

CVEs Like This One

CVE-2024-38291Same product: Extremenetworks Xiq-Se
CVE-2026-23536Shared CWE-22
CVE-2025-23422Shared CWE-22
CVE-2024-48885Shared CWE-22
CVE-2024-12849Shared CWE-22
CVE-2026-33656Shared CWE-22
CVE-2025-8343Shared CWE-22
CVE-2025-59384Shared CWE-22
CVE-2026-3051Shared CWE-22
CVE-2025-15031Shared CWE-22

References