CVE-2024-8752
published 2024-09-16CVE-2024-8752: The Windows version of WebIQ 2.15.9 is affected by a directory traversal vulnerability that allows remote attackers to read any file on the system.
PriorityP179high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
11.76%
95.5th percentile
The Windows version of WebIQ 2.15.9 is affected by a directory traversal vulnerability that allows remote attackers to read any file on the system.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| smart-hmi | webiq | — | — |
| smart_hmi | webiq | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/.webui/..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cwindows%5cwin.ini↗
path/.webui/
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS WebIQ 2.15.9 Directory Traversal Attempt (CVE-2024-8752)"; flow:established,to_server; http.request_line; content:"GET /.webui/"; startswith; fast_pattern; pcre:"/^.{0,10}(?:(?:\x2e|%2[Ee]){1,2}(?:\x2f|\x5c|%5[Cc]|%2[Ff]){1,}){2,}/R"; reference:url,github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-8752.yaml; reference:cve,2024-8752; classtype:web-application-attack; sid:2055916; rev:3; metadata:affected_product WebIQ, created_at 2024_09_18, cve CVE_2024_8752, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_11_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)- →Exploit requests target the /.webui/ endpoint using URL-encoded backslash traversal sequences (%5c) to escape the web root and read arbitrary Windows files (e.g., windows\win.ini).
- →Successful exploitation returns HTTP 200 with Content-Type image/svg+xml and a body containing win.ini markers: 'bit app support', 'fonts]', 'extensions]'.
- →The Emerging Threats Snort rule (SID 2055916) uses a PCRE to detect URL-encoded dot-dot-slash/backslash sequences after /.webui/ in HTTP GET request lines: /^.{0,10}(?:(?:\x2e|%2[Ee]){1,2}(?:\x2f|\x5c|%5[Cc]|%2[Ff]){1,}){2,}/R
- →Shodan query 'title:"WebIQ"' can be used to identify exposed WebIQ instances on the internet for proactive asset discovery.
- ·The vulnerability is specific to the Windows version of WebIQ 2.15.9; the traversal payload relies on Windows backslash path separators (%5c) and is not applicable to non-Windows deployments. ↗
- ·No authentication is required to exploit this vulnerability (PR:N, UI:N in CVSS), meaning any unauthenticated remote attacker can read arbitrary files.
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-7c78-g5wc-hcch: The Windows version of WebIQ 2
ghsa_unreviewed·2024-09-16
CVE-2024-8752 [CRITICAL] CWE-22 GHSA-7c78-g5wc-hcch: The Windows version of WebIQ 2
The Windows version of WebIQ 2.15.9 is affected by a directory traversal vulnerability that allows remote attackers to read any file on the system.
VulnCheck
smart-hmi webiq Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
vulncheck·2024·CVSS 9.3
CVE-2024-8752 [CRITICAL] smart-hmi webiq Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
smart-hmi webiq Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
The Windows version of WebIQ 2.15.9 is affected by a directory traversal vulnerability that allows remote attackers to read any file on the system.
Affected: smart-hmi webiq
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-10-07&host_type=src&vulnerability=cve-2024-8752; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-10-14&host_type=src&vulnerability=cve-2024-8752; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024
Suricata
ET WEB_SPECIFIC_APPS WebIQ 2.15.9 Directory Traversal Attempt (CVE-2024-8752)
suricata·2024-09-18·CVSS 9.3
CVE-2024-8752 [CRITICAL] ET WEB_SPECIFIC_APPS WebIQ 2.15.9 Directory Traversal Attempt (CVE-2024-8752)
ET WEB_SPECIFIC_APPS WebIQ 2.15.9 Directory Traversal Attempt (CVE-2024-8752)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS WebIQ 2.15.9 Directory Traversal Attempt (CVE-2024-8752)"; flow:established,to_server; http.request_line; content:"GET /.webui/"; startswith; fast_pattern; pcre:"/^.{0,10}(?:(?:\x2e|%2[Ee]){1,2}(?:\x2f|\x5c|%5[Cc]|%2[Ff]){1,}){2,}/R"; reference:url,github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-8752.yaml; reference:cve,2024-8752; classtype:web-application-attack; sid:2055916; rev:3; metadata:affected_product WebIQ, created_at 2024_09_18, cve CVE_2024_8752, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_11_26, mit
Nuclei
WebIQ 2.15.9 - Directory Traversal
nuclei·CVSS 9.3
CVE-2024-8752 [CRITICAL] WebIQ 2.15.9 - Directory Traversal
WebIQ 2.15.9 - Directory Traversal
The Windows version of WebIQ 2.15.9 is affected by a directory traversal vulnerability that allows remote attackers to read any file on the system.
Template:
id: CVE-2024-8752
info:
name: WebIQ 2.15.9 - Directory Traversal
author: s4e-io
severity: high
description: |
The Windows version of WebIQ 2.15.9 is affected by a directory traversal vulnerability that allows remote attackers to read any file on the system.
impact: |
Unauthenticated attackers can exploit directory traversal to read arbitrary files from the Windows system, potentially exposing sensitive configuration files, credentials, database files, and system information.
remediation: |
Update WebIQ to a version later than 2.15.9 to address the directory traversal vulnerability.
reference:
- h
2024-09-16
Published
Exploited in the wild