Skip to content Skip to footer

Fortra Discloses Critical Security Flaw in FileCatalyst Solution (CVE-2024-25153)

Fortra, a file transfer solution provider, recently disclosed a critical security flaw in its FileCatalyst file transfer solution that could allow unauthenticated attackers to execute code on vulnerable servers remotely. The flaw is tracked as -2024-25153 and has a CVSS score of 9.8 out of 10, indicating its severity. The was first reported on August 9, 2023, and was addressed two days later in FileCatalyst Workflow version 5.1.6 Build 114.

According to the company, the flaw exists in the FileCatalyst Workflow Portal's' ftpservlet'. Attackers could the by uploading files outside the intended ‘uploadtemp' directory with a specially crafted POST request. If a file is successfully uploaded to the portal's DocumentRoot, this could potentially lead to executing arbitrary code, including shells.

Security researcher Tom Wedgbury of LRQA Nettitude discovered and reported the flaw. Fortra has since released a full proof-of-concept (PoC) demonstrating how the flaw could be exploited to upload a shell and execute system commands.

In addition, Fortra addressed two other security in FileCatalyst Direct (CVE-2024-25154 and CVE-2024-25155) that could result in information leakage and code execution.

Given the recent exploitation of previously disclosed flaws in Fortra's GoAnywhere managed file transfer (MFT) solution by threat actors like Cl0p, it is highly recommended that users apply the necessary updates to mitigate potential threats. Fortra has taken swift action to address these critical security flaws in its file transfer solutions, and users are advised to update their systems as soon as possible to ensure the safety and security of their data.

Leave a comment

Newsletter Signup

The Grid —
The Matrix Has Me
Big Bear Lake, CA 92315

01010011 01111001 01110011 01110100 01100101 01101101 00100000
01000110 01100001 01101001 01101100 01110101 01110010 01100101

- Mrs. Murphy: What did you learn in school today?
- Dade: Revenge.
Lauren Murphy & Dad

Deitasoft © 2024. All Rights Reserved.