Connect with us

Hi, what are you looking for?



PoC Published for Critical Fortra Code Execution Vulnerability

A critical directory traversal vulnerability in Fortra FileCatalyst Workflow could lead to remote code execution.

Proof-of-concept (PoC) code is now available for a critical-severity vulnerability in Fortra FileCatalyst Workflow that allows remote attackers to execute arbitrary code.

Tracked as CVE-2024-25153 (CVSS score of 9.8), the issue is described as a directory traversal bug in FileCatalyst Workflow’s web portal, which provides file management capabilities to Fortra customers.

Identified in the ‘ftpservlet’ component of the web portal, the flaw can be exploited using crafted POST requests to upload files outside the intended temporary directory.

A remote attacker could use the vulnerability to successfully upload JSP files in the web portal’s root directory and gain arbitrary code execution. In its advisory, Fortra warns that attackers could upload and execute web shells.

The flaw was discovered in August 2023 and addressed in FileCatalyst Workflow version 5.1.6 Build 114, without a CVE identifier.

However, Fortra became a CVE Numbering Authority (CNA) in December 2023, after which it assigned CVE-2024-25153 to the vulnerability and planned public disclosure with Nettitude security researcher Tom Wedgbury, who identified the flaw.

Last week, Fortra issued an advisory on this bug, while Wedgbury released PoC code and published a technical writeup detailing how an attacker could exploit the bug to upload a web shell and execute system commands.

Threat actors, cybersecurity firm SOCRadar warns, could weaponize the PoC code and use it in attacks targeting vulnerable systems. Organizations are advised to update to a patched FileCatalyst Workflow version as soon as possible.

Advertisement. Scroll to continue reading.

Last week, Fortra also announced that FileCatalyst Direct 3.8.9 patched one high-severity and one medium-severity bug leading to arbitrary code execution and information disclosure, respectively, and that GoAnywhere MFT 7.4.2 was released with fixes for a medium-severity flaw leading to information disclosure.

Additional information can be found on Fortra’s product security page. The company makes no mention of any of these vulnerabilities being exploited in the wild, but security defects in its products have been targeted in attacks.

Related: PoC Code Published for Just-Disclosed Fortra GoAnywhere Vulnerability

Related: PoC Exploit Published for Critical Jenkins Vulnerability

Related: Recent Juniper Flaws Chained in Attacks Following PoC Exploit Publication

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Cody Barrow has been appointed the new CEO of threat intelligence company EclecticIQ.

Shay Mowlem has been named CMO of runtime and application security company Contrast Security.

Attack detection firm Vectra AI has appointed Jeff Reed to the newly created role of Chief Product Officer.

More People On The Move

Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.