Cyber Resilience

CVE-2024-58312

HighPublic PoC

Published: 11 December 2025

Published
11 December 2025
Modified
30 December 2025
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0567 90.6th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-58312 is a high-severity Path Traversal (CWE-22) vulnerability in Xbtitfm Xbtitfm. Its CVSS base score is 8.7 (High).

Operationally, ranked in the top 9.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

xbtitFM version 4.1.18 is affected by a path traversal vulnerability tracked as CVE-2024-58312 and assigned CWE-22. The flaw resides in the handling of URL parameters, specifically in components such as nfogen.php, and permits manipulation of file paths through directory traversal sequences. The issue carries a CVSS 4.0 score of 8.7, reflecting network-accessible attack vectors with low complexity and no required user interaction.

Unauthenticated remote attackers can exploit the weakness by supplying encoded traversal characters in HTTP requests to retrieve arbitrary sensitive system files outside the intended web root. Successful exploitation grants read access to critical configuration or data files without authentication, potentially exposing credentials or other internal resources.

Public references include an Exploit-DB entry demonstrating the issue, a VulnCheck advisory focused on the unauthenticated path traversal in nfogen.php, and the vendor site at xbtitfm.eu. The associated EPSS score remains flat at 0.0567 with no material increase since disclosure.

EU & UK References

Vulnerability details

xbtitFM 4.1.18 contains a path traversal vulnerability that allows unauthenticated attackers to access sensitive system files by manipulating URL parameters. Attackers can exploit directory traversal techniques to read critical system files like using encoded path traversal characters in HTTP requests.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

xbtitfm
xbtitfm
4.1.18

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References