The fix for CVE-2024-26261 was incomplete, and and the specific package for OAKlouds from Hgiga remains at risk. Unauthenticated remote attackers still can download arbitrary system files, which may be deleted subsequently .
The vulnerability is based on improper handling of absolute paths (CWE-36 — absolute path traversal), which allows an attacker to request arbitrary files outside the allowed directory. Since access does not require authentication, an attacker can send a crafted network request and obtain the contents of any system file. Additionally, downloaded files can subsequently be deleted from the server, posing a risk of permanent data loss.
An attacker can gain access to sensitive system files (e.g., configurations, credentials) and permanently delete them, causing system disruption or data loss.
Apply patches available from the manufacturer (Hgiga) according to references published by TWCERT (https://www.twcert.org.tw/en/cp-139-8131-0b5e1-2.html). The previous patch for CVE-2024-26261 is insufficient — an update dedicated to CVE-2024-9924 is required.
Hgiga's OAKlouds package — versions specified in manufacturer references (the vulnerability affects products where the incomplete patch for CVE-2024-26261 was implemented)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H