CVE-2024-25461 is a directory traversal vulnerability identified in Terrasoft Creatio CRM version 7.18.4.1532. The issue resides in the terrasoft.axd component, which improperly validates user-supplied input, allowing an attacker to craft requests that traverse directories outside the intended scope. This enables unauthorized access to sensitive files and information stored on the server, potentially exposing confidential business data. The vulnerability requires no authentication or user interaction, making it remotely exploitable over the network. The CVSS 3.1 base score is 7.5, reflecting high confidentiality impact but no effect on integrity or availability. The root cause is classified under CWE-22, indicating insufficient restriction on pathname inputs. Although no public exploits are currently known, the vulnerability poses a serious risk due to the sensitive nature of CRM data and the ease of exploitation. No official patches have been released yet, so organizations must implement interim controls to mitigate risk. This vulnerability highlights the importance of rigorous input validation and secure coding practices in web application components handling sensitive data.

The primary impact of CVE-2024-25461 is unauthorized disclosure of sensitive information stored within the Terrasoft Creatio CRM environment. Attackers exploiting this vulnerability can access files outside the intended directory, potentially exposing customer data, business intelligence, and proprietary information. This can lead to data breaches, loss of customer trust, regulatory penalties, and competitive disadvantage. Since the vulnerability does not affect integrity or availability, it does not allow data modification or service disruption directly. However, the confidentiality breach alone can have severe consequences, especially for organizations handling sensitive or regulated data. The ease of remote exploitation without authentication increases the risk profile, making it attractive for attackers. Organizations worldwide using this CRM version are at risk, particularly those with critical business operations relying on the confidentiality of CRM data.

1. Immediately restrict external access to the terrasoft.axd component via network controls such as firewalls or web application firewalls (WAFs) to limit exposure. 2. Implement strict input validation and sanitization on all parameters accepted by terrasoft.axd to prevent directory traversal sequences (e.g., ../). 3. Monitor logs for suspicious requests containing directory traversal patterns and investigate anomalies promptly. 4. Apply the principle of least privilege to the file system permissions of the CRM server, ensuring the application process cannot access unnecessary directories or files. 5. If possible, deploy temporary reverse proxies or URL rewriting rules to block traversal attempts targeting terrasoft.axd. 6. Stay alert for official patches or updates from Terrasoft and apply them promptly once available. 7. Conduct a thorough security review of all web-facing components to identify and remediate similar input validation weaknesses. 8. Educate administrators and security teams about this vulnerability and ensure incident response plans are updated to handle potential exploitation scenarios.