Cyber Resilience

CVE-2024-53582

HighPublic PoC

Published: 31 January 2025

Published
31 January 2025
Modified
23 May 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0810 92.3th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-53582 is a high-severity Path Traversal (CWE-22) vulnerability in Openpanel Openpanel. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 7.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2024-53582 is a path traversal vulnerability (CWE-22) affecting the Copy and View functions in the File Manager component of OpenPanel version 0.3.4. The flaw allows an attacker to supply a crafted HTTP request that traverses directories outside the intended scope, resulting in unauthorized file access. It received a CVSS 3.1 score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

Unauthenticated remote attackers can exploit the issue over the network without credentials or user interaction. Successful exploitation grants read access to arbitrary files on the underlying system, exposing sensitive configuration data, source code, or other confidential information stored on the server.

The official OpenPanel changelog for version 0.3.5 lists security fixes that address the directory traversal vectors in the File Manager. Administrators are advised to upgrade from 0.3.4 to 0.3.5 or later. A proof-of-concept exploit demonstrating the attack has been published on Packet Storm. The associated EPSS score has remained flat at 0.0810 with no material increase observed since disclosure.

EU & UK References

Vulnerability details

An issue found in the Copy and View functions in the File Manager component of OpenPanel v0.3.4 allows attackers to execute a directory traversal via a crafted HTTP request.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Directory traversal in internet-facing File Manager component directly enables remote unauthenticated file read via crafted requests, mapping to exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-53537Same product: Openpanel Openpanel
CVE-2025-25871Same product: Openpanel Openpanel
CVE-2024-53584Same product: Openpanel Openpanel
CVE-2025-64075Shared CWE-22
CVE-2024-36512Shared CWE-22
CVE-2025-0493Shared CWE-22
CVE-2025-70231Shared CWE-22
CVE-2026-43888Shared CWE-22
CVE-2025-15031Shared CWE-22
CVE-2026-25785Shared CWE-22

Affected Assets

openpanel
openpanel
0.3.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Validates HTTP request parameters in Copy and View functions to block directory traversal sequences like '../'.

prevent

Enforces logical access controls to restrict file reads to authorized directories only, preventing unauthorized access via traversal.

prevent

Remediates the specific directory traversal flaw by identifying, testing, and applying patches such as OpenPanel v0.3.5.

References