Cyber Resilience

CVE-2024-55457

Medium

Published: 20 February 2025

Published
20 February 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
EPSS Score 0.7525 98.9th percentile
Risk Priority 58 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-55457 is a medium-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 6.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

MasterSAM Star Gate 11 contains a directory traversal vulnerability, tracked as CVE-2024-55457 and assigned CWE-22, that affects the /adama/adama/downloadService endpoint. An unauthenticated attacker can supply a crafted file parameter to read arbitrary files on the underlying server, resulting in limited disclosure of sensitive information and a CVSS 3.1 base score of 6.5.

Remote attackers with no credentials or user interaction can exploit the flaw over the network to retrieve files outside the intended directory, achieving partial confidentiality and integrity impact without affecting availability.

A public proof-of-concept is available at the referenced GitHub repository. The associated EPSS score has reached a peak of 0.8718 and currently stands at 0.7525, indicating sustained exploitation interest following disclosure.

EU & UK References

Vulnerability details

MasterSAM Star Gate 11 is vulnerable to directory traversal via /adama/adama/downloadService. An attacker can exploit this vulnerability by manipulating the file parameter to access arbitrary files on the server, potentially exposing sensitive information.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

Directory traversal in public-facing downloadService endpoint directly enables T1190 (Exploit Public-Facing Application) for unauthenticated remote file access; resulting arbitrary file reads facilitate T1005 (Data from Local System).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-12824Shared CWE-22
CVE-2026-25965Shared CWE-22
CVE-2025-30567Shared CWE-22
CVE-2025-27098Shared CWE-22
CVE-2026-35485Shared CWE-22
CVE-2024-54909Shared CWE-22
CVE-2026-3405Shared CWE-22
CVE-2025-41368Shared CWE-22
CVE-2026-23850Shared CWE-22
CVE-2024-13471Shared CWE-22

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly validates the manipulated 'file' parameter in requests to the /adama/adama/downloadService endpoint to reject directory traversal sequences like '../'.

prevent

Enforces access control policies at the application level to restrict file system access, preventing unauthorized reads of arbitrary sensitive files outside the intended directory.

preventdetect

Deploys boundary protection mechanisms like a web application firewall to monitor and block inbound requests containing path traversal patterns targeting the vulnerable endpoint.

References