CVE-2024-58312
Published: 11 December 2025
Summary
CVE-2024-58312 is a high-severity Path Traversal (CWE-22) vulnerability in Xbtitfm Xbtitfm. Its CVSS base score is 8.7 (High).
Operationally, ranked in the top 9.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
xbtitFM version 4.1.18 is affected by a path traversal vulnerability tracked as CVE-2024-58312 and assigned CWE-22. The flaw resides in the handling of URL parameters, specifically in components such as nfogen.php, and permits manipulation of file paths through directory traversal sequences. The issue carries a CVSS 4.0 score of 8.7, reflecting network-accessible attack vectors with low complexity and no required user interaction.
Unauthenticated remote attackers can exploit the weakness by supplying encoded traversal characters in HTTP requests to retrieve arbitrary sensitive system files outside the intended web root. Successful exploitation grants read access to critical configuration or data files without authentication, potentially exposing credentials or other internal resources.
Public references include an Exploit-DB entry demonstrating the issue, a VulnCheck advisory focused on the unauthenticated path traversal in nfogen.php, and the vendor site at xbtitfm.eu. The associated EPSS score remains flat at 0.0567 with no material increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-55344
Vulnerability details
xbtitFM 4.1.18 contains a path traversal vulnerability that allows unauthenticated attackers to access sensitive system files by manipulating URL parameters. Attackers can exploit directory traversal techniques to read critical system files like using encoded path traversal characters in HTTP requests.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.