CRITICAL🇵🇱 Wersja polska

CVE-2024-27776

CVSS 9.8v3.1pub. 2024-06-02upd. 2025-04-10

MileSight DeviceHub - CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') may allow Unauthenticated RCE

🤖 AI Analysis
How it works

The vulnerability is based on improper limitation of a pathname to a restricted directory. An attacker can craft a network request containing path traversal sequences (e.g., '../') to escape the allowed filesystem area and gain access to sensitive resources or execute arbitrary code. The attack requires no authentication or user interaction and is possible remotely over the network.

Impact

An attacker can gain complete control over the vulnerable system by executing arbitrary code remotely (RCE), and can also gain unauthorized access to sensitive data, modify it, or cause service unavailability.

Mitigation & patch

Patches available from the manufacturer should be applied according to the references. Due to the lack of authentication requirement, it is also recommended to restrict network access to the DeviceHub interface only to trusted IP addresses until the update is deployed.

Who is affected

MileSight DeviceHub — versions indicated in the manufacturer's references

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Canonical Ubuntu

    OS
    Canonical
    20.04
  • Milesight Devicehub

    APP
    Milesight
    3.0.1-r1
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Path Traversal
CWE
References

Related vulnerabilities

CVE-2025-32463CRITICAL9.3⚠ KEVPL ✓ten sam produkt

Sudo: eskalacja uprawnień do root poprzez opcję --chroot (CVE-2025-32463)

CVE-2022-0543CRITICAL10.0⚠ KEVten sam produkt

It was discovered, that redis, a persistent key-value database, due to a packaging issue, is prone to a (Debia...

CVE-2020-11651CRITICAL9.8⚠ KEVten sam produkt

An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process Clea...

CVE-2020-7247CRITICAL9.8⚠ KEVten sam produkt

smtp_mailaddr in smtp_session.c in OpenSMTPD 6.6, as used in OpenBSD 6.6 and other products, allows remote att...

CVE-2019-16928CRITICAL9.8⚠ KEVten sam produkt

Exim 4.92 through 4.92.2 allows remote code execution, a different vulnerability than CVE-2019-15846. There is...