Fortra has released details of a critical security flaw, now fixed, impacting its FileCatalyst file transfer solution that could allow unauthenticated attackers to achieve remote code execution on sensitive servers.
Detected as CVE-2024-25153, the flaw carries a CVSS score of 9.8 out of a possible 10.
“A directory traversal within the FileCatalyst Workflow web portal ‘ftpservlet’ allows you to upload files outside of the intended ‘uploadtemp’ directory with a specially crafted POST request,” the company said in an advisory last week.
“In situations where a file is successfully uploaded to the web portal’s DocumentRoot, specially crafted JSP files can be used to execute code, including web shells.”
The vulnerability, the company said, was first reported on August 9, 2023, and fixed two days later in FileCatalyst Workflow version 5.1.6 Build 114 without a CVE identifier. Fortra was authorized as a CVE Numbering Authority (CNA) in early December 2023.
Security researcher Tom Wedgbury of LRQA Nettitude was credited with discovering and reporting the flaw. The company has since released a Proof-of-Concept (PoC) exploit, describing how the flaw could be weaponized to load a web shell and execute arbitrary system commands.
In January 2024, Fortra also addressed two additional security vulnerabilities in FileCatalyst Direct (CVE-2024-25154 and CVE-2024-25155) that could lead to information leakage and code execution.
Given that previously disclosed flaws in Fortra GoAnywhere’s managed file transfer (MFT) have been heavily exploited over the past year by threat actors such as Cl0p, users are advised to apply the necessary updates to mitigate potential threats.