📄 Description (English)
OpenCTI 3.3.1 is vulnerable to a directory traversal attack via the static/css endpoint. An unauthenticated attacker can read arbitrary files from the filesystem by sending crafted GET requests with path traversal sequences (e.g., '../') in the URL. For example, requesting /static/css//../../../../../../../../etc/passwd returns the contents of /etc/passwd. This vulnerability was discovered by Raif Berkay Dincel and confirmed on Linux Mint and Windows 10.
🤖 AI Executive Summary
OpenCTI 3.3.1 contains a critical unauthenticated directory traversal vulnerability in the static/css endpoint that allows attackers to read arbitrary files from the server filesystem. An attacker can exploit path traversal sequences to access sensitive files like /etc/passwd without authentication. This vulnerability poses an immediate risk to organizations using OpenCTI for threat intelligence operations, potentially exposing sensitive configuration files, credentials, and intelligence data.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 30, 2026 03:48
🇸🇦 Saudi Arabia Impact Assessment
Saudi government agencies (NCA, NCSC), banking sector (SAMA-regulated institutions), and critical infrastructure operators using OpenCTI for threat intelligence are at high risk. Exposure of intelligence databases, security configurations, and API credentials could compromise national cybersecurity operations. Telecom operators (STC, Mobily) and energy sector organizations (ARAMCO) relying on OpenCTI for threat monitoring face potential data exfiltration of sensitive security intelligence and operational technology configurations.
🏢 Affected Saudi Sectors
Government & National Security (NCA, NCSC)
Banking & Financial Services (SAMA-regulated)
Critical Infrastructure (Energy, Utilities)
Telecommunications (STC, Mobily)
Healthcare
Defense & Military
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
8.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all OpenCTI 3.3.1 instances in your environment and isolate them from untrusted networks
2. Review access logs for the /static/css endpoint for suspicious path traversal patterns (../, ..\, encoded variants)
3. Assume compromise if logs show exploitation attempts; audit all files accessible to the OpenCTI process
PATCHING:
1. Upgrade OpenCTI immediately to version 3.3.2 or later
2. Apply vendor security patches as released by Citeum
3. Test patches in non-production environment before deployment
COMPENSATING CONTROLS (if immediate patching not possible):
1. Implement WAF rules to block requests containing path traversal sequences (../, ..\ , %2e%2e, %252e%252e) to /static/css endpoint
2. Restrict network access to OpenCTI to authorized IP ranges only
3. Implement authentication/authorization at reverse proxy level
4. Monitor for exploitation attempts using IDS/IPS signatures
DETECTION RULES:
1. Alert on GET requests to /static/css with path traversal patterns
2. Monitor for access to sensitive files (/etc/passwd, /etc/shadow, configuration files)
3. Log all unauthenticated access attempts to static endpoints
4. Implement file integrity monitoring on sensitive configuration files
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. حدد جميع مثيلات OpenCTI 3.3.1 في بيئتك وعزلها عن الشبكات غير الموثوقة
2. راجع سجلات الوصول لنقطة النهاية /static/css بحثاً عن أنماط المسار المريبة (../, ..\, المتغيرات المشفرة)
3. افترض الاختراق إذا أظهرت السجلات محاولات استغلال؛ قم بتدقيق جميع الملفات التي يمكن الوصول إليها بواسطة عملية OpenCTI
التصحيح:
1. قم بترقية OpenCTI فوراً إلى الإصدار 3.3.2 أو أحدث
2. طبق تصحيحات الأمان الصادرة عن Citeum
3. اختبر التصحيحات في بيئة غير الإنتاج قبل النشر
الضوابط البديلة (إذا لم يكن التصحيح الفوري ممكناً):
1. طبق قواعد WAF لحظر الطلبات التي تحتوي على تسلسلات المسار (../, ..\ , %2e%2e, %252e%252e) إلى نقطة النهاية /static/css
2. قيد الوصول إلى الشبكة إلى OpenCTI لنطاقات IP المصرح بها فقط
3. طبق المصادقة/التفويض على مستوى الوكيل العكسي
4. راقب محاولات الاستغلال باستخدام توقيعات IDS/IPS
قواعد الكشف:
1. تنبيه على طلبات GET إلى /static/css بأنماط المسار
2. مراقبة الوصول إلى الملفات الحساسة (/etc/passwd, /etc/shadow, ملفات التكوين)
3. تسجيل جميع محاولات الوصول غير المصرح بها إلى نقاط النهاية الثابتة
4. تطبيق مراقبة سلامة الملفات على ملفات التكوين الحساسة
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.5.1.1 - Access Control Policies
ECC 2024 A.6.1.1 - Information Security Roles and Responsibilities
ECC 2024 A.8.1.1 - Asset Management
ECC 2024 A.12.2.1 - Restrictions on Software Installation
ECC 2024 A.14.2.1 - Secure Development Policy
🔵 SAMA CSF
SAMA CSF ID.AM-2 - Software Inventory
SAMA CSF PR.AC-1 - Access Control
SAMA CSF PR.PT-1 - Security Testing
SAMA CSF DE.CM-1 - Network Monitoring
SAMA CSF RS.MI-1 - Incident Response
🟡 ISO 27001:2022
ISO 27001:2022 A.5.1 - Policies for Information Security
ISO 27001:2022 A.6.1 - Organization of Information Security
ISO 27001:2022 A.8.1 - Asset Management
ISO 27001:2022 A.12.6 - Change Management
ISO 27001:2022 A.14.2 - Secure Development
🔗 References & Sources 4
🔗
https://github.com/OpenCTI-Platform/opencti
disclosure@vulncheck.com
Product
🔗
https://www.exploit-db.com/exploits/48595
disclosure@vulncheck.com
Exploit
Third Party Advisory
VDB Entry
🔗
https://www.opencti.io/
disclosure@vulncheck.com
Product
🔗
https://www.vulncheck.com/advisories/opencti-directory-traversal
disclosure@vulncheck.com
Broken Link
📦 Affected Products / CPE 1 entries
citeum:opencti:3.3.1