Software firms advised to eliminate direct-path access weaknesses by CISA and FBI

Software firms advised to eliminate direct-path access weaknesses by CISA and FBI

In a recent alert, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have highlighted the importance of eliminating directory traversal vulnerabilities in software products. The goal is to reduce the frequency of technology customers having to search for such vulnerabilities that can expose their systems to malicious attacks.

The agencies recommend several key measures for software companies to eliminate directory traversal vulnerabilities. These measures are primarily focused on proper input validation, access controls, and defensive configurations.

1. Strict input validation and sanitization: Ensure all user inputs that might affect file paths are rigorously checked and sanitized to prevent attackers from manipulating inputs to traverse directories outside the intended scope. Input should not be directly used to specify file or directory paths without validation.
2. Avoid use of untrusted user input in file access: Software should avoid using user input for file path construction whenever possible. If dynamic file access is necessary, constrain file access to a predefined safe directory (a whitelist approach) to prevent unauthorized file retrieval or modification.
3. Restrict file and directory permissions: Assign minimal access permissions to files and directories in the system so that even if a traversal attack occurs, critical files cannot be read or modified. This limits the impact of successful exploitation.
4. Deploy Web Application Firewalls (WAFs) or threat prevention solutions: Use WAFs or security platforms capable of detecting and blocking directory traversal attack patterns, abnormal filename paths, or unauthorized file upload attempts related to traversal techniques.
5. Enforce proper network security configurations: Restrict public access to cloud or enterprise applications and apply firewall policies and identity access controls to minimize exposure of vulnerable paths.
6. Patch known vulnerabilities promptly: Apply security updates and patches quickly to address known directory traversal flaws that may enable remote code execution or unauthorized access, as emphasized by recent vulnerabilities like CVE-2025-6218 in common software.
7. User education and monitoring: Train users to avoid opening suspicious files or archives that could exploit traversal vulnerabilities and monitor sensitive directories for unexpected changes.

In addition to these measures, software manufacturers are urged to build greater security into their products during the development stage. Application security testing should be used during software development to find places where validation is missing, according to Chris Wysopal, CTO and co-founder of Veracode.

The alert also emphasizes the importance of proactively identifying directory traversal risks during development and deployment phases. This can be achieved by integrating automated vulnerability scanning and penetration testing tools like Nessus and Qualys.

The focus of this alert is on reducing exposure to attacks from rogue nation-states and criminal ransomware actors. The lingering question for corporate stakeholders is whether they are a target. The alert references two recent campaigns where threat groups engaged in extensive exploitation activity, specifically mentioning a path traversal vulnerability in ConnectWise ScreenConnect (CVE-2024-1708) and a vulnerability in the file upload functionality of Cisco AppDynamics Controller (CVE-2024-20345).

CISA is pushing for a key tenet of the Biden administration's national cybersecurity strategy: secure by design. Manufacturers can prevent directory traversal vulnerabilities by generating random identifiers for each file and storing related metadata separately. They can also limit the types of characters used in file names, for example, only allowing alphanumeric characters.

Organizations should ask software manufacturers if they have conducted formal tests to check for directory traversal vulnerabilities before using their products. As the threat landscape continues to evolve, it is crucial for software companies to prioritize security and adopt these recommended measures to protect their customers from potential attacks.

1. The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) advise software companies to prioritize security, adopting measures such as strict input validation and sanitization to eliminate directory traversal vulnerabilities.
2. To reduce the frequency of technology customers having to search for vulnerabilities that can expose their systems to malicious attacks, agencies recommend restricting file and directory permissions, deploying Web Application Firewalls (WAFs) or threat prevention solutions, and enforcing proper network security configurations.
3. In light of the ongoing evolution of the threat landscape and the potential dangers posed by rogue nation-states and criminal ransomware actors, organizations should ask software manufacturers if they have conducted formal tests to ensure their products are secure by design, using measures like generating random identifiers for files and limiting characters used in file names.

Read also: