CVE-2024-38292

Critical

Published: 27 February 2025

Published

27 February 2025

Modified

11 July 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0049 65.5th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

In Extreme Networks XIQ-SE before 24.2.11, due to a missing access control check, a path traversal is possible, which may lead to privilege escalation.

Security Summary

CVE-2024-38292 is a path traversal vulnerability (CWE-22) affecting Extreme Networks XIQ-SE versions before 24.2.11. The issue stems from a missing access control check, which enables attackers to traverse directories and potentially escalate privileges. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its high impact on confidentiality, integrity, and availability.

An unauthenticated remote attacker with network access can exploit this vulnerability with low attack complexity and no user interaction. Exploitation allows traversal of intended file paths, leading to privilege escalation and potential unauthorized access to sensitive data or system controls.

Extreme Networks security advisory SA-2024-104 addresses this issue, recommending an upgrade to XIQ-SE version 24.2.11 or later as the primary mitigation. Additional details are available at https://community.extremenetworks.com/t5/security-advisories-formerly/sa-2024-104-xiq-se-path-traversal-privilege-escalation-cve-2024/ba-p/116362.

Details

CWE(s): CWE-22

Affected Products

extremenetworks

xiq-se

≤ 24.2.11

References

https://community.extremenetworks.com/t5/security-advisories-formerly/sa-2024-104-xiq-se-path-traversal-privilege-escalation-cve-2024/ba-p/116362
Vendor Advisory · cve@mitre.org