CVE-2024-45241 is a directory traversal vulnerability identified in the GeneralDocs.aspx page of CentralSquare CryWolf, a False Alarm Management system widely used in public safety and emergency response environments. The vulnerability arises from insufficient validation of the rpt parameter, which is used to specify report files. By crafting a specially designed request, an unauthenticated attacker can traverse directories outside the web root and access arbitrary files on the server. This type of vulnerability is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory). The vulnerability is remotely exploitable without any authentication or user interaction, increasing the risk of automated scanning and exploitation attempts. The CVSS v3.1 score of 7.5 reflects a high severity level, primarily due to the high confidentiality impact (disclosure of sensitive files) and the low attack complexity and no privileges required. Although no public exploits or patches are currently available, the vulnerability poses a significant risk to organizations relying on this software for critical false alarm management functions. Attackers could leverage disclosed information to further compromise the system or gain deeper network access. The absence of patches necessitates immediate risk mitigation through network-level controls and monitoring.

The primary impact of CVE-2024-45241 is the unauthorized disclosure of sensitive information stored on the affected server. This can include configuration files, credentials, internal documentation, or other data that could facilitate further attacks such as privilege escalation, lateral movement, or targeted intrusion campaigns. Since the vulnerability is exploitable without authentication, it significantly lowers the barrier for attackers, including opportunistic threat actors and automated scanners. Organizations operating CentralSquare CryWolf in critical infrastructure sectors such as emergency services, law enforcement, and public safety could face operational disruptions if sensitive data is exposed or leveraged in follow-on attacks. The exposure of sensitive information could also lead to reputational damage, regulatory penalties, and loss of public trust. Given the nature of the affected software, the confidentiality breach could have cascading effects on emergency response effectiveness and public safety.

Until an official patch is released, organizations should implement the following specific mitigations: 1) Restrict external network access to the CentralSquare CryWolf web interface by using firewalls or VPNs to limit exposure to trusted users only. 2) Employ web application firewalls (WAFs) with custom rules to detect and block directory traversal attempts targeting the rpt parameter. 3) Conduct thorough logging and monitoring of web server access logs to identify suspicious requests containing traversal sequences (e.g., ../). 4) Review and harden file permissions on the server to minimize the amount of sensitive data accessible to the web application process. 5) If possible, isolate the CryWolf application server in a segmented network zone to reduce lateral movement risk. 6) Prepare for rapid patch deployment by establishing communication with CentralSquare for updates. 7) Educate incident response teams about this vulnerability to enable swift detection and response to exploitation attempts. These targeted actions go beyond generic advice by focusing on immediate risk reduction in the absence of a patch.