#VU89629 External Control of File Name or Path in RUGGEDCOM CROSSBOW - CVE-2024-27945

Cybersecurity Help s.r.o.

Published: 2024-05-17

Vulnerability identifier: #VU89629

Vulnerability risk: Low

CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-27945

CWE-ID: CWE-73

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
RUGGEDCOM CROSSBOW
Other software / Other software solutions

Vendor: Siemens

Description

The vulnerability allows a remote user to upload arbitrary files.

The vulnerability exists due to application allows an attacker to control path of the files to delete. A remote administrator can send a specially crafted HTTP request and upload arbitrary files on the system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

RUGGEDCOM CROSSBOW: before 5.5

External links
https://cert-portal.siemens.com/productcert/html/ssa-916916.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Siemens RUGGEDCOM CROSSBOW