Cyber Resilience

CVE-2024-8752

CriticalPublic PoC

Published: 16 September 2024

Published
16 September 2024
Modified
20 September 2024
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.9113 99.7th percentile
Risk Priority 73 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-8752 is a critical-severity Path Traversal (CWE-22) vulnerability in Smart-Hmi Webiq. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked in the top 0.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

The Windows version of WebIQ 2.15.9 is affected by a directory traversal vulnerability tracked as CVE-2024-8752 and CWE-22. The flaw permits remote attackers to read arbitrary files on the underlying system and carries a CVSS 4.0 base score of 9.3 driven by network attack vector, low attack complexity, and no requirements for authentication or user interaction.

An unauthenticated remote attacker can exploit the issue to retrieve any file present on the Windows host, including sensitive configuration files, credentials, or other data that could facilitate further compromise of the system or connected environments.

A technical advisory published by Tenable at the referenced URL supplies additional analysis of the vulnerability. The associated EPSS score stands at 0.9113 with a recorded peak of 0.9115.

EU & UK References

Vulnerability details

The Windows version of WebIQ 2.15.9 is affected by a directory traversal vulnerability that allows remote attackers to read any file on the system.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1083 File and Directory Discovery Discovery
Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1552.001 Credentials In Files Credential Access
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
Why these techniques?

Directory traversal in public-facing WebIQ web app (T1190) enables arbitrary file reads for file/directory discovery (T1083), data collection from local system (T1005), and accessing unsecured credentials in files (T1552.001).

Affected Assets

smart-hmi
webiq
2.15.9

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References