CVE-2024-46645 is a directory traversal vulnerability identified in eNMS version 4.0.0, specifically within the get_tree_files functionality. Directory traversal (CWE-22) occurs when an application fails to properly sanitize user-supplied input that specifies file paths, allowing attackers to manipulate the path to access files outside the intended directory scope. In this case, the vulnerability enables remote, unauthenticated attackers to craft requests that traverse directories and read arbitrary files on the server hosting eNMS. The CVSS v3.1 base score of 7.5 reflects a high-severity issue due to the vulnerability's network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), and no user interaction (UI:N). The impact is primarily on confidentiality (C:H), as attackers can access sensitive files, but there is no impact on integrity or availability. Although no public exploits are currently known, the vulnerability's characteristics make it a significant risk, especially for organizations that expose eNMS services to untrusted networks. eNMS is a network management system used to monitor and manage network devices, often deployed in telecommunications and enterprise environments, making the confidentiality breach potentially severe. The lack of available patches at the time of publication increases the urgency for defensive measures. Proper input validation and path normalization are critical to prevent exploitation. The vulnerability was reserved and published in September 2024, indicating recent discovery and disclosure.

The primary impact of CVE-2024-46645 is unauthorized disclosure of sensitive information due to the ability to read arbitrary files on the affected system. This can lead to exposure of configuration files, credentials, logs, or other sensitive data that could facilitate further attacks or compromise. Since the vulnerability does not affect integrity or availability, it does not directly enable data modification or service disruption. However, the confidentiality breach can have cascading effects, such as enabling lateral movement, privilege escalation, or targeted attacks against the organization. Organizations relying on eNMS 4.0.0 for network management, especially in critical infrastructure sectors like telecommunications, finance, and government, face increased risk of data leakage and espionage. The ease of exploitation (no authentication or user interaction required) and network accessibility amplify the threat. Without mitigation, attackers can remotely exploit this vulnerability to gain sensitive insights into network configurations and operational details, potentially undermining organizational security posture.

1. Immediately restrict network access to the eNMS management interface, limiting it to trusted internal networks or VPNs to reduce exposure. 2. Deploy Web Application Firewalls (WAFs) or Intrusion Prevention Systems (IPS) with rules specifically designed to detect and block directory traversal attempts targeting get_tree_files or similar endpoints. 3. Implement strict input validation and path normalization on the server side to sanitize and validate all file path parameters, ensuring they do not contain traversal sequences such as '../'. 4. Monitor logs for suspicious requests containing directory traversal patterns and respond promptly to any detected exploitation attempts. 5. Engage with the eNMS vendor or community to obtain patches or updates addressing this vulnerability as soon as they become available. 6. Conduct a thorough audit of exposed files and credentials that may have been accessed to assess potential data leakage and take remediation actions. 7. Educate network and security teams about this vulnerability to ensure rapid detection and response. 8. Consider deploying network segmentation to isolate critical management systems from general user networks.