Now on Demand: Threat Detection and Incident Response (TDIR) Summit - All Sessions Available
Connect with us

Hi, what are you looking for?



CISA, FBI Urge Organizations to Eliminate Path Traversal Vulnerabilities

CISA and the FBI warn of threat actors abusing path traversal software vulnerabilities in attacks targeting critical infrastructure.

The US cybersecurity agency CISA and the FBI on Thursday released a Secure by Design Alert warning of path traversal software vulnerabilities being exploited in attacks targeting critical infrastructure entities.

Also known as directory traversal, path traversal flaws rely on manipulated user input to access application files and directories that should not be accessible. Successful exploitation allows threat actors to manipulate arbitrary files, read sensitive data, and potentially fully compromise the system.

Documented for over two decades and deemed ‘unforgivable’ in 2007, path traversal defects remain a persistent class of bugs in software, with at least two recent issues exploited against critical infrastructure sectors, including healthcare and public health organizations.

In response to the exploitation of the two vulnerabilities – which impact ConnectWise ScreenConnect (CVE-2024-1708) and Cisco AppDynamics Controller (CVE-2024-20345) – CISA and the FBI are urging organizations (PDF) to ensure their software developers eliminate this class of security defects.

CISA currently lists 55 path traversal flaws in its Known Exploited Vulnerabilities (KEV) Catalog.

The two US government agencies underline that a secure by design software development lifecycle is the base for eliminating security holes, including path traversal flaws, as products are built in a way that reasonably protects them from bug exploitation.

“Incorporating this risk mitigation at the outset—beginning in the design phase and continuing through product release and updates—reduces both the burden of cybersecurity on customers and risk to the public,” CISA and the FBI note.

Well-known and effective mitigations include using random identifiers for files and storing metadata separately, or limiting the number of characters in file names and ensuring that uploaded files do not have execution permissions.

Advertisement. Scroll to continue reading.

OWASP’s guidance on path traversal flaws includes additional mitigations that both software manufacturers and cloud services operators are advised to review and implement.

Additionally, organizations are advised to test products against path traversal bugs and protect themselves against their exploitation by adhering to the three principles detailed in the secure by design guidance published in October 2023.

By fully implementing the recommended secure by design principles and practices, software manufacturers can protect their customers from a wide range of malicious attacks, the two agencies say.

“Further, CISA and the FBI urge manufacturers to publish their own secure by design roadmap to demonstrate that they are not simply implementing tactical controls but are strategically rethinking their responsibility in keeping customers safe,” CISA and the FBI note.

Related: Federal Push for Secure-by-Design: What It Means for Developers

Related: CISA Debuts ‘Secure by Design’ Alert Series

Related: CISA Introduces Secure-by-design and Secure-by-default Development Principles

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Wendy Zheng named as CFO and Joe Diamond as CMO at cyber asset management firm Axonius.

Intelligent document processing company ABBYY has hired Clayton C. Peddy as CISO.

Digital executive protection services provider BlackCloak has appointed Ryan Black as CISO.

More People On The Move

Expert Insights