A critical vulnerability in the Fortra FileCatalyst managed file transfer (MFT) service could enable remote code execution (RCE) and web shell deployment by an unauthenticated attacker.
A Fortra advisory and a full proof-of-concept (PoC) exploit for the vulnerability were published March 13.
Tom Wedgbury, a managing senior security consultant at LRQA Nettitude, discovered the bug in early August 2023, and Fortra released a patch days later noting “various security fixes” in its release notes.
The full disclosure and PoC release came after Fortra was first authorized as a CVE Numbering Authority in early December. The CVE for the flaw — CVE-2024-25153 — was ultimately issued at Wedgbury’s request, according to Fortra.
CVE-2024-25153 allows anonymous user to upload, read and modify files
The vulnerability, which has a CVSS score of 9.8, affects versions of Fortra FileCatalyst prior to Version 5.1.6 Build 114. It is a directory traversal flaw that enables files to be uploaded to restricted locations via a specially crafted POST request.
Details about the flaw and its potential exploitation were published by Wedgbury in a LRQA Nettitude Labs blog post. The post explains how a POST request to the “ftpservlet” path within FileCatalyst Workflow can be manipulated to upload files outside the intended “uploadtemp” directory.
FileCatalyst Workflow’s “public access” login option, which is enabled by default, enables an attacker to call ftpservlet without any credentials. Wedgbury also showed how FileCatalyst Workflow could be reverse engineered to reveal the hidden query parameter “bb.decode(KVhV),” which is used to generate session IDs.
Uploaded files are sent to the location https://{url}/workflow/uploadtemp/{session_id}/{file_name}, and the file name segment is properly sanitized for slash characters to prevent path traversal, LRQA Nettitude found.
However, the session ID segment did not have the same protection, and leveraging the hidden query parameter to replace the session ID with a series of dot-dot-slash characters (../) enabled traversal into other directories.
Wedgbury noted that the temporary upload directory (usually uploadtemp) is automatically deleted after a short time. The time period is sufficiently long to complete a successful exploit, but attempting to upload files to the top level web root risks deleting the entire application.
Using the session ID manipulation tactic to upload files, LRQA Nettitude’s PoC exploit uploads a command shell to any vulnerable FileCatalyst Workflow instance and executes an OS command such as “whoami” (which displays the current user’s username on Unix-like and Windows machines) or “ls” (which lists a directory’s contents on Unix-like operating systems).
An attacker could leverage remote OS commands to read and modify files in the target directory, leading to a potential data breach or additional injection of malicious code.
LRQA Nettitude originally discovered this flaw when conducting a security assessment for a customer who used Fortra FileCatalyst as part of their external infrastructure. In addition to FileCatalyst Workflow, the researchers found FileCatalyst Direct to be vulnerable to the same exploit.
MFT exploitation risks major supply chain attacks
CVE-2024-25153 is not the first major vulnerability to impact Fortra file transfer services.
Early last year, the Fortra GoAnywhere RCE vulnerability tracked as CVE-2023-0669, discovered by Rapid7, was exploited by the ransomware gang Clop. More than 130 organizations were compromised during the group’s campaign, including Community Health Systems in Tennessee, which reported that the data of 1 million patients was exposed.
Additionally, another critical Fortra GoAnywhere bug, tracked as CVE-2024-0204, was exploited in the wild following the public release of a PoC exploit. However, widescale damage was avoided due to very few unpatched instances being exposed to the internet.
One of the most consequential supply chain attacks of 2023 was the result of an MFT vulnerability: the Progress Software MOVEit breach affected hundreds of organizations and caused more than $100 million in ransom payments to be made to the Clop cybergang, according to Chainalysis.
While a patch for CVE-2024-25153 has been available for about five months, research conducted by Mend last year found that security teams take an average of 271 days (nearly nine months) to remediate vulnerabilities. Additionally, Qualys published research in December that found 25% of high-risk vulnerabilities are exploited within 24 hours of their public disclosure.
There have been no reports of CVE-2024-25153 exploitation in the wild as of Monday.
