Cyber Resilience

CVE-2024-45256

Critical

Published: 26 August 2024

Published
26 August 2024
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.5087 97.9th percentile
Risk Priority 50 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-45256 is a critical-severity Path Traversal (CWE-22) vulnerability in Chebuya (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 2.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2024-45256 is an arbitrary file write vulnerability in the exfiltration endpoint of BYOB (Build Your Own Botnet) version 2.0. The flaw resides in the file_add function within api/files/routes.py and stems from improper handling of a crafted parameter in unauthenticated HTTP requests, enabling path traversal (CWE-22). It carries a CVSS 3.1 score of 9.8.

Unauthenticated remote attackers can send a specially formed request to the endpoint to overwrite arbitrary files on the server, including SQLite databases used for authentication. Successful exploitation grants the ability to bypass login controls and potentially achieve further control over the botnet infrastructure.

Public references include a technical analysis and working exploit code demonstrating unauthenticated remote command execution chains that begin with this file-write primitive. The EPSS score stands at 0.5087 with no material post-disclosure rise indicated.

EU & UK References

Vulnerability details

An arbitrary file write issue in the exfiltration endpoint in BYOB (Build Your Own Botnet) 2.0 allows attackers to overwrite SQLite databases and bypass authentication via an unauthenticated HTTP request with a crafted parameter. This occurs in file_add in api/files/routes.py.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Chebuya
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References