Today, CISA and the Federal Bureau of Investigation (FBI) released a joint Secure by Design Alert, Eliminating Directory Traversal Vulnerabilities in Software. This Alert was crafted in response to recent well-publicized threat actor campaigns that exploited directory traversal vulnerabilities in software (e.g., CVE-2024-1708, CVE-2024-20345) to compromise users of the software—impacting critical infrastructure sectors, including the Healthcare and Public Health Sector.
Additionally, this Alert highlights the prevalence, and continued threat actor exploitation of, directory traversal defects. Currently, CISA has listed 55 directory traversal vulnerabilities in our Known Exploited Vulnerabilities (KEV) catalog. Approaches to avoid directory traversal vulnerabilities are known, yet threat actors continue to exploit these vulnerabilities which have impacted the operation of critical services, including hospital and school operations.
CISA and the FBI urge software manufacturer executives to require their organizations to conduct formal testing to determine their products’ susceptibility to directory traversal vulnerabilities.
For more information on recommended principles and best practices to achieve this goal, visit CISA’s Secure by Design page. To catch up on the publications in this series, visit Secure by Design Alerts.
CISA released four Industrial Control Systems (ICS) advisories on August 19, 2025. These advisories provide…
CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence…
CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence…
CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence…
CISA released thirty-two Industrial Control Systems (ICS) advisories on August 14, 2025. These advisories provide…
CISA, along with the National Security Agency, the Federal Bureau of Investigation, Environmental Protection Agency,…
This website uses cookies.