Secure by Design Alert: Eliminating Directory Traversal Vulnerabilities in Software
CISA and the Federal Bureau of Investigation (FBI) crafted this Alert in response to recent well-publicized threat actor campaigns that exploited directory traversal vulnerabilities in software (e.g., CVE-2024-1708, CVE-2024-20345) to compromise users of the software—impacting critical infrastructure sectors, including the Healthcare and Public Health Sector. Additionally, this Alert highlights the prevalence, and continued threat actor exploitation of, directory traversal defects.
Currently, CISA has listed 55 directory traversal vulnerabilities in our Known Exploited Vulnerabilities (KEV) catalog. Approaches to avoid directory traversal vulnerabilities are known, yet threat actors continue to exploit these vulnerabilities which have impacted the operation of critical services, including hospital and school operations.
For more information on recommended principles and best practices to achieve this goal, visit CISA’s Secure by Design page. To catch up on the publications in this series, visit Secure by Design Alerts.
Please share your thoughts with us via our anonymous product survey; we welcome your feedback.