CVE-2024-50626 identifies a Directory Traversal vulnerability in the WebFS component of Digi ConnectPort LTS devices prior to version 1.4.12. Directory Traversal (CWE-22) is a common security flaw where an attacker manipulates file path inputs to access files and directories outside the intended scope. In this case, an attacker situated on the same local area network as the vulnerable device can craft specially formed URLs containing traversal sequences (such as ../) to navigate the file system arbitrarily. This can lead to unauthorized disclosure of sensitive files, configuration data, or potentially system files, compromising confidentiality. Furthermore, the attacker may alter or delete files, impacting integrity and availability. The vulnerability requires no privileges or user interaction, increasing its risk profile. The CVSS v3.1 score of 8.8 reflects high severity, with attack vector limited to adjacent network (AV:A), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). Although no public exploits have been reported, the ease of exploitation and potential impact make this a critical concern for affected organizations. Digi ConnectPort LTS devices are commonly used in industrial and embedded environments, often in critical infrastructure and IoT deployments, increasing the potential impact of this vulnerability.

The vulnerability poses a significant risk to organizations using Digi ConnectPort LTS devices, particularly in industrial control, IoT, and embedded system contexts. Successful exploitation can lead to unauthorized access to sensitive configuration files, credentials, or operational data, resulting in data breaches and loss of confidentiality. Integrity may be compromised if attackers modify critical files, potentially disrupting device functionality or causing operational failures. Availability could also be affected if essential files are deleted or corrupted. Given the devices' deployment in critical infrastructure sectors such as manufacturing, energy, and transportation, the impact could extend to operational disruptions and safety risks. The requirement for attacker presence on the local network limits remote exploitation but does not eliminate risk in environments with weak network segmentation or insider threats. The absence of known exploits in the wild currently reduces immediate threat but does not diminish the urgency for remediation due to the vulnerability's high severity and ease of exploitation.

1. Upgrade Digi ConnectPort LTS devices to version 1.4.12 or later once available to apply the official patch addressing this vulnerability. 2. Until patches are deployed, implement strict network segmentation to isolate vulnerable devices from general user networks and untrusted devices, limiting LAN access. 3. Employ access control lists (ACLs) and firewall rules to restrict HTTP/WebFS access to trusted management hosts only. 4. Monitor device logs and network traffic for unusual URL requests containing traversal sequences (e.g., '../') indicative of exploitation attempts. 5. Disable or restrict WebFS functionality if not required for operational purposes to reduce attack surface. 6. Conduct regular security audits and vulnerability assessments on embedded and IoT devices to identify and remediate similar issues proactively. 7. Educate network administrators and security teams about the risks of local network attacks and the importance of internal network defenses.