cbcvebase.
CVE-2024-8752
published 2024-09-16

CVE-2024-8752: The Windows version of WebIQ 2.15.9 is affected by a directory traversal vulnerability that allows remote attackers to read any file on the system.

PriorityP179high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
11.76%
95.5th percentile
The Windows version of WebIQ 2.15.9 is affected by a directory traversal vulnerability that allows remote attackers to read any file on the system.

Affected

2 ranges
VendorProductVersion rangeFixed in
smart-hmiwebiq
smart_hmiwebiq

Detection & IOCsextracted from sources · hover to see the quote

url/.webui/..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cwindows%5cwin.ini
path/.webui/
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS WebIQ 2.15.9 Directory Traversal Attempt (CVE-2024-8752)"; flow:established,to_server; http.request_line; content:"GET /.webui/"; startswith; fast_pattern; pcre:"/^.{0,10}(?:(?:\x2e|%2[Ee]){1,2}(?:\x2f|\x5c|%5[Cc]|%2[Ff]){1,}){2,}/R"; reference:url,github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-8752.yaml; reference:cve,2024-8752; classtype:web-application-attack; sid:2055916; rev:3; metadata:affected_product WebIQ, created_at 2024_09_18, cve CVE_2024_8752, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_11_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Exploit requests target the /.webui/ endpoint using URL-encoded backslash traversal sequences (%5c) to escape the web root and read arbitrary Windows files (e.g., windows\win.ini).
  • Successful exploitation returns HTTP 200 with Content-Type image/svg+xml and a body containing win.ini markers: 'bit app support', 'fonts]', 'extensions]'.
  • The Emerging Threats Snort rule (SID 2055916) uses a PCRE to detect URL-encoded dot-dot-slash/backslash sequences after /.webui/ in HTTP GET request lines: /^.{0,10}(?:(?:\x2e|%2[Ee]){1,2}(?:\x2f|\x5c|%5[Cc]|%2[Ff]){1,}){2,}/R
  • Shodan query 'title:"WebIQ"' can be used to identify exposed WebIQ instances on the internet for proactive asset discovery.
  • ·The vulnerability is specific to the Windows version of WebIQ 2.15.9; the traversal payload relies on Windows backslash path separators (%5c) and is not applicable to non-Windows deployments.
  • ·No authentication is required to exploit this vulnerability (PR:N, UI:N in CVSS), meaning any unauthenticated remote attacker can read arbitrary files.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.