CVE-2024-2442

Vulnerability

Overview

CVE-2024-2442 is a path traversal vulnerability (CWE-25) affecting Franklin Fueling System EVO 550 and EVO 5000 automatic tank gauges. All versions prior to 2.26.3.8963 are vulnerable. The flaw exists in the handling of file paths, enabling an attacker to traverse directories using '../' sequences and access sensitive files on the system [1].

Exploitation

The vulnerability is remotely exploitable with low attack complexity and requires no authentication or user interaction. An attacker with network access to the affected device can send specially crafted requests to read arbitrary files. The CVSS v3.1 vector string (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) confirms the low barrier to exploitation [1].

Impact

Successful exploitation allows an attacker to read sensitive files from the device, leading to a high confidentiality impact. The vulnerability does not affect integrity or availability directly, but the exposed information could be used for further attacks. The CVSS v4 base score of 8.7 underscores the severity [1].

Mitigation

Franklin Fueling Systems has released firmware version 2.26.3.8963 for both EVO 550 and EVO 5000 to fix the vulnerability. Users are strongly advised to update immediately. Additionally, CISA recommends minimizing network exposure of these devices, placing them behind firewalls, and isolating them from business networks [1].