CVE-2024-25153
📋 TL;DR
CVE-2024-25153 is a critical directory traversal vulnerability in FileCatalyst Workflow Web Portal's ftpservlet that allows unauthenticated attackers to upload files outside the intended uploadtemp directory. Successful exploitation could lead to remote code execution via malicious JSP files, potentially resulting in web shell deployment. Organizations using vulnerable versions of FileCatalyst Workflow Web Portal are affected.
💻 Affected Systems
- FileCatalyst Workflow Web Portal
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through web shell deployment leading to data exfiltration, lateral movement, ransomware deployment, or persistent backdoor installation.
Likely Case
Web shell deployment allowing unauthorized file access, data theft, and potential privilege escalation on the affected server.
If Mitigated
Failed upload attempts logged with no code execution if proper file validation and directory restrictions are enforced.
🎯 Exploit Status
Public Python exploit script available on GitHub demonstrates reliable exploitation. The vulnerability requires no authentication and has straightforward exploitation steps.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.1.6 Build 114
Vendor Advisory: https://www.fortra.com/security/advisory/fi-2024-002
Restart Required: Yes
Instructions:
1. Download FileCatalyst Workflow Web Portal version 5.1.6 Build 114 or later from the vendor portal. 2. Backup current configuration and data. 3. Stop the FileCatalyst service. 4. Install the updated version. 5. Restart the service. 6. Verify functionality.
🔧 Temporary Workarounds
Network Access Restriction
allRestrict network access to the FileCatalyst Workflow Web Portal to only trusted IP addresses or internal networks.
Use firewall rules to limit access (e.g., iptables -A INPUT -p tcp --dport [PORT] -s [TRUSTED_IP] -j ACCEPT)
File Upload Directory Hardening
allConfigure strict file upload restrictions and validate file paths to prevent directory traversal.
Configure web server to reject requests with '../' sequences in file paths
🧯 If You Can't Patch
- Implement network segmentation to isolate the vulnerable system from critical assets
- Deploy web application firewall (WAF) rules to block directory traversal patterns and suspicious file uploads
🔍 How to Verify
Check if Vulnerable:
Check the FileCatalyst Workflow Web Portal version via the admin interface or by examining installed files. Versions below 5.1.6 Build 114 are vulnerable.Check Version:
Check the web portal admin interface or examine the release notes file in the installation directory.Verify Fix Applied:
Confirm the version is 5.1.6 Build 114 or later and test that directory traversal attempts via ftpservlet are properly blocked.📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads to non-standard directories
- HTTP POST requests to ftpservlet with '../' sequences
- JSP file uploads to unexpected locations
Network Indicators:
- Unusual outbound connections from the FileCatalyst server
- POST requests to ftpservlet from unexpected sources
SIEM Query:
source="filecatalyst.logs" AND (uri_path="*ftpservlet*" AND (http_method="POST" AND (uri_query="*../*" OR user_agent="*python*")))🔗 References
- https://filecatalyst.software/public/filecatalyst/Workflow/5.1.6.114/fcweb_releasenotes.html
- https://www.fortra.com/security/advisory/fi-2024-002
- https://filecatalyst.software/public/filecatalyst/Workflow/5.1.6.114/fcweb_releasenotes.html
- https://www.fortra.com/security/advisory/fi-2024-002
- https://github.com/nettitude/CVE-2024-25153/blob/master/CVE-2024-25153.py
