CVE-2024-8752: Smart-hmi WebIQ Path Traversal Flaw

CVE-2024-8752 Overview

CVE-2024-8752 is a directory traversal vulnerability affecting the Windows version of Smart-HMI WebIQ 2.15.9. Remote attackers can exploit the flaw to read arbitrary files on the underlying Windows host without authentication. The issue is tracked under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory).

WebIQ is a web-based human-machine interface (HMI) used in industrial automation environments. Unauthenticated file disclosure on such systems can expose credentials, configuration files, and operational data used by control system operators.

Critical Impact

Unauthenticated remote attackers can read any file accessible to the WebIQ service account on the Windows host, including sensitive HMI configuration and system files.

Affected Products

• Smart-HMI WebIQ 2.15.9 (Windows build)
• Microsoft Windows hosts running the affected WebIQ release
• Industrial HMI deployments exposing WebIQ over the network

Discovery Timeline

• 2024-09-16 - CVE-2024-8752 published to NVD with a Tenable Research Advisory
• 2024-09-20 - Last updated in NVD database

Technical Details for CVE-2024-8752

Vulnerability Analysis

The WebIQ web server fails to properly sanitize user-controlled path components in HTTP requests. An attacker can supply traversal sequences such as ..\ or ../ in a request URL to escape the intended web root. The server resolves the manipulated path and returns the contents of arbitrary files on the Windows filesystem.

Because the attack vector is network-based and requires no authentication or user interaction, exposure is determined entirely by the network reachability of the WebIQ HTTP service. The EPSS score of 11.66% (95th percentile) reflects measurable interest in this class of flaw against industrial software.

Root Cause

The vulnerability stems from missing canonicalization and validation of file paths before they are passed to Windows file I/O APIs. WebIQ accepts request paths that contain .. segments and backslash separators, then concatenates them with a base directory without normalizing the result. Windows resolves the traversal at the filesystem layer, granting access to files outside the intended document root.

Attack Vector

Exploitation occurs over HTTP against the WebIQ listener. An attacker issues a crafted GET request that includes encoded or raw traversal sequences targeting known Windows paths such as C:\Windows\win.ini, application configuration files, or credentials stored on disk. The server reads the requested file under the privileges of the WebIQ service account and returns its contents in the HTTP response. No prior session, token, or credential is required.

No public proof-of-concept exploit is listed in Exploit-DB at the time of writing. Technical details are available in the Tenable Research Advisory TRA-2024-38.

Detection Methods for CVE-2024-8752

Indicators of Compromise

• HTTP requests to WebIQ containing ..\, ../, %2e%2e%2f, or %2e%2e%5c sequences in the URI or query string
• Access log entries referencing system paths such as Windows\win.ini, Windows\System32\drivers\etc\hosts, or WebIQ configuration files
• Successful HTTP 200 responses to URIs that fall outside the documented WebIQ application routes

Detection Strategies

• Inspect WebIQ and reverse-proxy logs for traversal patterns and decode URL-encoded payloads before pattern matching
• Deploy web application firewall (WAF) signatures that block traversal sequences targeting the WebIQ listener
• Correlate file read access events on the Windows host with inbound HTTP requests to the WebIQ service

Monitoring Recommendations

• Forward WebIQ HTTP logs and Windows file access events to a centralized SIEM or data lake for cross-source correlation
• Alert on requests from external sources to the WebIQ service, which should typically only be reachable from operator workstations
• Baseline normal WebIQ URI patterns and alert on deviations that include parent-directory references

How to Mitigate CVE-2024-8752

Immediate Actions Required

• Restrict network access to the WebIQ service to authorized operator networks using firewall rules or network segmentation
• Place WebIQ behind a reverse proxy or WAF configured to block path traversal sequences
• Audit the Windows account running WebIQ and reduce its filesystem privileges to the minimum required for operation

Patch Information

Refer to the Tenable Research Advisory TRA-2024-38 and the Smart-HMI vendor channels for fixed releases beyond WebIQ 2.15.9. Upgrade to a vendor-supplied patched version as soon as it is available and verify the fix in a staging environment before production rollout.

Workarounds

• Block external access to the WebIQ TCP port at the perimeter firewall until a patched version is deployed
• Enforce IP allowlisting on the WebIQ host so that only known operator and engineering workstations can connect
• Move sensitive configuration and credential files outside any directory reachable by the WebIQ service account

# Example Windows Firewall rule restricting WebIQ access to an operator subnet
New-NetFirewallRule -DisplayName "WebIQ Restrict Inbound" `
  -Direction Inbound `
  -Protocol TCP `
  -LocalPort 80,443 `
  -RemoteAddress 10.10.20.0/24 `
  -Action Allow

New-NetFirewallRule -DisplayName "WebIQ Block Other" `
  -Direction Inbound `
  -Protocol TCP `
  -LocalPort 80,443 `
  -Action Block