www.belgium.be Logo of the federal government

WARNING: CRITICAL RCE VULNERABILITY IN FORTRA FILECATALYST WORKFLOW, PATCH IMMEDIATELY!

Reference: 
Advisory #2024-42
Version: 
1.0
Affected software: 
Fortra FileCatalyst Workflow 5.x before 5.1.6 Build 114
Type: 
Remote Code Execution
CVE/CVSS: 

CVE-2024-25153
CVSS 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Sources

Risks

Fortra FileCatalyst Workflow, an enterprise file transfer solution, is at high risk due to the newly disclosed remote code execution (RCE) vulnerability,  CVE-2024-25153.

Successful exploitation of this vulnerability could give an remote unauthenticated attacker full control of affected servers and would highly affect the availability, confidentiality, and integrity.

There is no available information yet about the vulnerability being exploited in the wild by threat actors, but a PoC was released, thus increasing the risks of future exploitation by cyber threat actors.

Another vulnerability affecting Fortra GoAnywhere MFT file transfer software that was disclosed in January 2024 was observed as being exploited by threat actors.

A compromise of Fortra FileCatalyst Workflow could allow attackers to:

  • Exfiltrate Sensitive Data: Gain access to confidential files or steal credentials stored on the server or those in transit during file transfers.
  • Establish a Foothold: Use the compromised FileCatalyst server as a pivot point to launch attacks against other internal systems.
  • Cripple Operations: Disrupt essential business operations that rely on secure file transfers, potentially deploying ransomware or other destructive payloads.

Description

CVE-2024-25153 lies within the web portal component of FileCatalyst Workflow. Attackers can exploit a directory traversal within the ‘ftpservlet’ of the FileCatalyst Workflow Web Portal to uploaded files outside of the intended ‘uploadtemp’ directory with a specially crafted POST request.

In situations where a file is successfully uploaded to web portal’s DocumentRoot, specially crafted JSP files could be used to execute code, including web shells.

The affected version are: Fortra FileCatalyst Workflow 5.x before 5.1.6 Build 114

Recommended Actions

Patch

The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.

The users should urgently upgrade to FileCatalyst 5.1.6 Build 114 or higher.

Monitor/Detect

The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

References