Fortra Patches Critical RCE Vulnerability in FileCatalyst Transfer Tool

Cyber Security

Products You May Like

Mar 18, 2024NewsroomVulnerability / Threat Mitigation

Fortra has released details of a now-patched critical security flaw impacting its FileCatalyst file transfer solution that could allow unauthenticated attackers to gain remote code execution on susceptible servers.

Tracked as CVE-2024-25153, the shortcoming carries a CVSS score of 9.8 out of a maximum of 10.

“A directory traversal within the ‘ftpservlet’ of the FileCatalyst Workflow Web Portal allows files to be uploaded outside of the intended ‘uploadtemp’ directory with a specially crafted POST request,” the company said in an advisory last week.

“In situations where a file is successfully uploaded to web portal’s DocumentRoot, specially crafted JSP files could be used to execute code, including web shells.”

Cybersecurity

The vulnerability, the company said, was first reported on August 9, 2023, and addressed two days later in FileCatalyst Workflow version 5.1.6 Build 114 without a CVE identifier. Fortra was authorized as a CVE Numbering Authority (CNA) in early December 2023.

Security researcher Tom Wedgbury of LRQA Nettitude has been credited with discovering and reporting the flaw. The company has since released a full proof-of-concept (PoC) exploit, describing how the flaw could be weaponized to upload a web shell and execute arbitrary system commands.

Also resolved by Fortra in January 2024 are two other security vulnerabilities in FileCatalyst Direct (CVE-2024-25154 and CVE-2024-25155) that could lead to information leakage and code execution.

With previously disclosed flaws in Fortra GoAnywhere managed file transfer (MFT) coming under heavy exploitation last year by threat actors like Cl0p, it’s recommended that users have applied the necessary updates to mitigate potential threats.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Products You May Like

Articles You May Like

SANS Institute Unveils Critical Infrastructure Strategy Guide for 2024: A Call to Action for Securing ICS/OT Environments
Reflect Orbital Plans to ‘Sell Sunlight’ at Night With the Help of Satellite Mirrors
Breaking Down AD CS Vulnerabilities: Insights for InfoSec Professionals
Itel Flip One Feature Phone Set to Launch in India in September
Infinix Hot 50 5G India Launch Date Set for September 5; Design, Key Features Revealed Ahead of Debut

Leave a Reply

Your email address will not be published. Required fields are marked *