Today, CISA and the Federal Bureau of Investigation (FBI) released a joint Secure by Design Alert, Eliminating Directory Traversal Vulnerabilities in Software. This Alert was crafted in response to recent well-publicized threat actor campaigns that exploited directory traversal vulnerabilities in software (e.g., CVE-2024-1708, CVE-2024-20345) to compromise users of the software—impacting critical infrastructure sectors, including the Healthcare and Public Health Sector.

Additionally, this Alert highlights the prevalence, and continued threat actor exploitation of, directory traversal defects. Currently, CISA has listed 55 directory traversal vulnerabilities in our Known Exploited Vulnerabilities (KEV) catalog. Approaches to avoid directory traversal vulnerabilities are known, yet threat actors continue to exploit these vulnerabilities which have impacted the operation of critical services, including hospital and school operations.

CISA and the FBI urge software manufacturer executives to require their organizations to conduct formal testing to determine their products’ susceptibility to directory traversal vulnerabilities.

For more information on recommended principles and best practices to achieve this goal, visit CISA’s Secure by Design page. To catch up on the publications in this series, visit Secure by Design Alerts.

Leave a Reply

Your email address will not be published. Required fields are marked *

Explore More

BTC-e $9bn Crypto-Money Launderer Pleads Guilty

May 7, 2024 0 Comments 0 tags

Russian national Alexander Vinnik has pleaded guilty to his role in a multibillion-dollar money laundering conspiracy

Chipmaker Giant Nexperia Confirms Cyber-Attack Amid Ransomware Group Claims

April 15, 2024 0 Comments 0 tags

Nexperia confirmed its IT servers were accessed by attackers, with the Dunghill ransomware group claiming to have stolen chip designs and other sensitive documents

Fifth of British Kids Have Broken the Law Online

February 19, 2024 0 Comments 0 tags

A new National Crime Agency study reveals 20% of 10- to 16-year-olds have violated the Computer Misuse Act