cbcvebase.
CVE-2024-6049
published 2024-10-24

CVE-2024-6049: The web server of Lawo AG vsm LTC Time Sync (vTimeSync) is affected by a "..." (triple dot) path traversal vulnerability. By sending a specially crafted HTTP…

PriorityP263high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
4.32%
90.0th percentile
The web server of Lawo AG vsm LTC Time Sync (vTimeSync) is affected by a "..." (triple dot) path traversal vulnerability. By sending a specially crafted HTTP request, an unauthenticated remote attacker could download arbitrary files from the operating system. As a limitation, the exploitation is only possible if the requested file has some file extension, e. g. .exe or .txt.

Detection & IOCsextracted from sources · hover to see the quote

path/.../.../.../.../.../.../.../.../.../Windows/win.ini
sigma
HTTP GET request path containing '...' (triple dot) segments targeting file extensions (e.g. .ini, .exe, .txt)
  • Detect unauthenticated HTTP GET requests containing triple-dot ('...') path segments in the URI, which are characteristic of this path traversal exploit against Lawo vTimeSync web server.
  • Confirm exploitation by checking HTTP 200 response body for Windows/win.ini markers: 'bit app support', 'fonts', and 'extensions'.
  • Fingerprint the target as a Lawo vTimeSync web server by checking the response body for the strings 'vTimeSync' and 'Lawo' before attempting traversal detection.
  • Exploitation is only possible when the requested file has a file extension (e.g. .exe, .txt, .ini); filter/alert on traversal paths that include a file extension.
  • ·The path traversal uses '...' (triple dot) segments, not the standard '../' double-dot sequences. WAF/IDS rules tuned only for '../' traversal patterns will NOT detect this attack.
  • ·Exploitation requires the target file to have a file extension; requests for extension-less files will not succeed, which limits the scope of detectable payloads.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.