Unauthenticated RCE Vulnerability in MileSight DeviceHub Due to Path Traversal
CVE-2024-27776

9.8CRITICAL

Key Information:

Vendor: Milesight
Status: Devicehub
Vendor: CVE Published:; 2 June 2024

What is CVE-2024-27776?

The vulnerability present in MileSight DeviceHub arises from improper limitations on pathname access, specifically leveraging the weakness categorized under CWE-22, which allows attackers to manipulate directory paths. This exploitation can result in unauthenticated remote code execution, posing a severe security risk to systems utilizing vulnerable versions of the DeviceHub. Organizations using this product should take immediate action to assess their installations and apply necessary updates or mitigations to safeguard against potential exploitation.

Affected Version(s)

DeviceHub v3.0.1-r1 for Ubuntu 20.04

References

https://www.gov.il/en/Departments/faq/cve_advisories

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 2, 2024
Vulnerability Reserved
Feb 26, 2024

Credit

Claroty Research – Team 82

CVE-2024-27776 Data

JSON

Milesight

What is CVE-2024-27776?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit