CVE-2024-6049
Published: 24 October 2024
Summary
CVE-2024-6049 is a high-severity Triple Dot (CWE-32) vulnerability in Lawo AG (inferred from references). Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 1.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
The web server component of Lawo AG vsm LTC Time Sync (vTimeSync) contains a triple-dot path traversal vulnerability tracked as CVE-2024-6049. An unauthenticated remote attacker can supply a specially crafted HTTP request to retrieve arbitrary files from the underlying operating system, provided the target file carries a file extension such as .exe or .txt. The flaw is assigned CWE-32 and carries a CVSS 3.1 base score of 7.5 reflecting network-accessible confidentiality impact without authentication or user interaction.
An attacker positioned on the network can exploit the issue directly against any exposed vTimeSync instance to exfiltrate sensitive configuration files, binaries, or other readable content. No privileges are required, and the limitation on file extensions still permits retrieval of many common operating-system and application artifacts.
Public advisories and disclosure materials are available from the vendor at lawo.com/lawo-downloads, from SEC Consult at r.sec-consult.com/lawo, and via the Full Disclosure mailing list at seclists.org/fulldisclosure/2024/Oct/7. The associated EPSS score has remained at its recorded peak of 0.7294 since publication with no material upward trajectory observed.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-47207
Vulnerability details
The web server of Lawo AG vsm LTC Time Sync (vTimeSync) is affected by a "..." (triple dot) path traversal vulnerability. By sending a specially crafted HTTP request, an unauthenticated remote attacker could download arbitrary files from the operating system.…
more
As a limitation, the exploitation is only possible if the requested file has some file extension, e. g. .exe or .txt.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.