CVE-2024-2224

HIGH

Bitdefender Endpoint Security and GravityZone Control Center - Remote Code Execution via UpdateServer Path Traversal

Title source: llm

Description

Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) vulnerability in the UpdateServer component of Bitdefender GravityZone allows an attacker to execute arbitrary code on vulnerable instances. This issue affects the following products that include the vulnerable component: Bitdefender Endpoint Security for Linux version 7.0.5.200089 Bitdefender Endpoint Security for Windows version 7.9.9.380 GravityZone Control Center (On Premises) version 6.36.1

References (1)

Core 1

Core References

Vendor Advisory

https://www.bitdefender.com/support/security-advisories/privilege-escalation-via-the-gravityzone-productmanager-updateserver-kitsmanager-api-va-11466/

Scores

CVSS v3 8.1

EPSS 0.0073

EPSS Percentile 49.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-22

Status published

Products (3)

bitdefender/endpoint_security 7.0.5.200089

bitdefender/endpoint_security 7.9.9.380

bitdefender/gravityzone_control_center 6.36.1

Published Apr 09, 2024

Tracked Since Feb 18, 2026