CVE-2024-13984: Qi'anxin TianQing Management Center rptsvr Arbitrary File Upload
QiAnXin TianQing Management Center versions up to and including 6.7.0.4130 contain a path traversal vulnerability in the rptsvr component that allows unauthenticated attackers to upload files to arbitrary locations on the server. The /rptsvr/upload endpoint fails to sanitize the filename parameter in multipart form-data requests, enabling path traversal. This allows attackers to place executable files in web-accessible directories, potentially leading to remote code execution. Exploitation evidence was first observed by the Shadowserver Foundation on 2024-08-23 UTC.
Security readout for executives and security teams
Plain-English summary
This flaw lets an unauthenticated attacker upload files outside the intended location in Qi'anxin TianQing Management Center. If attackers place executable files where the web server can run them, the issue can become remote code execution. Treat exposed systems as urgent because the supplied record rates it CVSS 10.
Executive priority
Prioritize immediately for any exposed deployment. The combination of unauthenticated access, arbitrary upload, and possible remote code execution creates direct operational risk to the management server and connected administrative environment.
Technical view
The /rptsvr/upload multipart endpoint does not properly sanitize the filename parameter, allowing path traversal during file upload. The supplied record describes affected TianQing Management Center versions up to and including 6.7.0.4130. CWE mappings are CWE-22 and CWE-73.
Likely exposure
Highest risk is internet-facing TianQing Management Center deployments, especially where /rptsvr/upload is reachable from untrusted networks. Exposure data is incomplete because the supplied affected CPE and default status fields are not fully populated.
Exploitation context
The CVE is not listed as KEV in the supplied bundle. The description says Shadowserver first observed exploitation evidence on 2024-08-23 UTC, but no supplied source proves current active exploitation.
Researcher notes
Do not rely on CPE matching alone; supplied affected metadata is sparse. Validate endpoint exposure, version, and file-system artifacts. Sources include technical writeups tagged as exploit references, but this analysis intentionally avoids payload or weaponization details.
Mitigation direction
Identify all TianQing Management Center instances and confirm build versions.
Remove public internet access; restrict management access to trusted networks or VPN.
Check Qi'anxin guidance for a fixed version or vendor mitigation.
Inspect web-accessible directories for unexpected uploaded executable files.
Review logs for suspicious /rptsvr/upload activity.
If compromise is suspected, isolate the host and rebuild from trusted media.
Validation and detection
Confirm whether /rptsvr/upload is reachable from untrusted networks.
Verify installed TianQing Management Center version and build number.
Review reverse proxy, WAF, and application logs for upload attempts.
Inspect application and web roots for unexpected new files.
Compare exposed management hosts against asset inventory.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · medium confidence lookup
CWE-22: File access and web shell behavior lookup
File traversal and upload weaknesses can lead teams to review file, web shell, execution, and collection telemetry. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
File traversal and upload weaknesses can lead teams to review file, web shell, execution, and collection telemetry. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
The CVE wording references code or command execution, so execution technique review may help defensive triage. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
The CVE wording references file access or upload behavior, so file telemetry and web shell review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
1CVSS vectors
3Timeline events
1ADP providers
5Source links
SSVC decision data
CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: yesTechnical Impact: total
CVSS vector scores
1 official score
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-22 · source CWE mapping
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.
External Control of File Name or Path represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.