Proof-of-concept (PoC) code is now available for a critical-severity vulnerability in Fortra FileCatalyst Workflow that allows remote attackers to execute arbitrary code.
Tracked as CVE-2024-25153 (CVSS score of 9.8), the issue is described as a directory traversal bug in FileCatalyst Workflow’s web portal, which provides file management capabilities to Fortra customers.
Identified in the ‘ftpservlet’ component of the web portal, the flaw can be exploited using crafted POST requests to upload files outside the intended temporary directory.
A remote attacker could use the vulnerability to successfully upload JSP files in the web portal’s root directory and gain arbitrary code execution. In its advisory, Fortra warns that attackers could upload and execute web shells.
The flaw was discovered in August 2023 and addressed in FileCatalyst Workflow version 5.1.6 Build 114, without a CVE identifier.
However, Fortra became a CVE Numbering Authority (CNA) in December 2023, after which it assigned CVE-2024-25153 to the vulnerability and planned public disclosure with Nettitude security researcher Tom Wedgbury, who identified the flaw.
Last week, Fortra issued an advisory on this bug, while Wedgbury released PoC code and published a technical writeup detailing how an attacker could exploit the bug to upload a web shell and execute system commands.
Threat actors, cybersecurity firm SOCRadar warns, could weaponize the PoC code and use it in attacks targeting vulnerable systems. Organizations are advised to update to a patched FileCatalyst Workflow version as soon as possible.
Last week, Fortra also announced that FileCatalyst Direct 3.8.9 patched one high-severity and one medium-severity bug leading to arbitrary code execution and information disclosure, respectively, and that GoAnywhere MFT 7.4.2 was released with fixes for a medium-severity flaw leading to information disclosure.
Additional information can be found on Fortra’s product security page. The company makes no mention of any of these vulnerabilities being exploited in the wild, but security defects in its products have been targeted in attacks.
Related: PoC Code Published for Just-Disclosed Fortra GoAnywhere Vulnerability
Related: PoC Exploit Published for Critical Jenkins Vulnerability
Related: Recent Juniper Flaws Chained in Attacks Following PoC Exploit Publication