Cyber Posture

CVE-2024-53537

Critical

Published: 31 January 2025

Published
31 January 2025
Modified
02 October 2025
KEV Added
Patch
CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0606 90.8th percentile
Risk Priority 22 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-53537 is a critical-severity Path Traversal (CWE-22) vulnerability in Openpanel Openpanel. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 9.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly addresses the insufficient input validation in OpenPanel File Manager's File Actions by enforcing validation to reject directory traversal paths like '../'.

SI-2 Flaw Remediation good match
prevent

Mandates timely remediation of the specific directory traversal flaw through patching to OpenPanel v0.3.5 or later.

AC-3 Access Enforcement partial match
prevent

Enforces access control policies to restrict file reads and modifications to only intended directories, mitigating successful traversal attempts.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

Directory traversal in public-facing File Manager component directly enables remote unauthenticated exploitation for arbitrary file read/modify.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

An issue in OpenPanel v0.3.4 to v0.2.1 allows attackers to execute a directory traversal in File Actions of File Manager.

Deeper analysisAI

CVE-2024-53537 is a directory traversal vulnerability (CWE-22) affecting OpenPanel versions from v0.2.1 to v0.3.4. It resides in the File Actions feature of the File Manager component, where insufficient input validation allows attackers to access files outside the intended directory. The vulnerability carries a CVSS v3.1 base score of 9.1 (Critical), reflecting network accessibility (AV:N), low attack complexity (AC:L), no required privileges (PR:N), no user interaction (UI:N), unchanged scope (S:U), high confidentiality and integrity impacts (C:H/I:H), and no availability impact (A:N).

Remote, unauthenticated attackers can exploit this vulnerability over the network by crafting malicious requests to the File Manager's File Actions endpoint. Successful exploitation enables arbitrary file reads and modifications on the server, potentially leading to data exfiltration, tampering with sensitive configurations, or further compromise of the hosting environment.

The OpenPanel changelog for version 0.3.5 documents security fixes addressing this issue, recommending an upgrade to mitigate the vulnerability (https://openpanel.com/docs/changelog/0.3.5/#%EF%B8%8F-security-fixes). Additional details are available in the Packet Storm advisory (https://packetstorm.news/files/id/188913/).

Details

CWE(s)
CWE-22

Affected Products

openpanel
openpanel
0.2.1 — 0.3.4

CVEs Like This One

CVE-2024-53582Same product: Openpanel Openpanel
CVE-2025-25871Same product: Openpanel Openpanel
CVE-2024-53584Same product: Openpanel Openpanel
CVE-2025-59384Shared CWE-22
CVE-2025-15031Shared CWE-22
CVE-2026-7213Shared CWE-22
CVE-2026-24479Shared CWE-22
CVE-2025-66744Shared CWE-22
CVE-2026-6057Shared CWE-22
CVE-2026-5436Shared CWE-22

References