CRITICAL🇵🇱 Wersja polska

CVE-2024-9924

CVSS 9.8v3.1pub. 2024-10-14upd. 2026-04-15

The fix for CVE-2024-26261 was incomplete, and and the specific package for OAKlouds from Hgiga remains at risk. Unauthenticated remote attackers still can download arbitrary system files, which may be deleted subsequently .

🤖 AI Analysis
How it works

The vulnerability is based on improper handling of absolute paths (CWE-36 — absolute path traversal), which allows an attacker to request arbitrary files outside the allowed directory. Since access does not require authentication, an attacker can send a crafted network request and obtain the contents of any system file. Additionally, downloaded files can subsequently be deleted from the server, posing a risk of permanent data loss.

Impact

An attacker can gain access to sensitive system files (e.g., configurations, credentials) and permanently delete them, causing system disruption or data loss.

Mitigation & patch

Apply patches available from the manufacturer (Hgiga) according to references published by TWCERT (https://www.twcert.org.tw/en/cp-139-8131-0b5e1-2.html). The previous patch for CVE-2024-26261 is insufficient — an update dedicated to CVE-2024-9924 is required.

Who is affected

Hgiga's OAKlouds package — versions specified in manufacturer references (the vulnerability affects products where the incomplete patch for CVE-2024-26261 was implemented)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References