CVE-2024-8752
Published: 16 September 2024
Summary
CVE-2024-8752 is a critical-severity Path Traversal (CWE-22) vulnerability in Smart-Hmi Webiq. Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked in the top 0.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The Windows version of WebIQ 2.15.9 is affected by a directory traversal vulnerability tracked as CVE-2024-8752 and CWE-22. The flaw permits remote attackers to read arbitrary files on the underlying system and carries a CVSS 4.0 base score of 9.3 driven by network attack vector, low attack complexity, and no requirements for authentication or user interaction.
An unauthenticated remote attacker can exploit the issue to retrieve any file present on the Windows host, including sensitive configuration files, credentials, or other data that could facilitate further compromise of the system or connected environments.
A technical advisory published by Tenable at the referenced URL supplies additional analysis of the vulnerability. The associated EPSS score stands at 0.9113 with a recorded peak of 0.9115.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-49396
Vulnerability details
The Windows version of WebIQ 2.15.9 is affected by a directory traversal vulnerability that allows remote attackers to read any file on the system.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Directory traversal in public-facing WebIQ web app (T1190) enables arbitrary file reads for file/directory discovery (T1083), data collection from local system (T1005), and accessing unsecured credentials in files (T1552.001).
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.