CVE-2024-25291 – CVE-2024-25291 is a critical remote code execut... (How to Fix)

Q: What is the severity of CVE-2024-25291?

CVE-2024-25291 has a CVSS score of 9.8 (CRITICAL). CVE-2024-25291 is a critical remote code execution vulnerability in Deskfiler v1.2.3 that allows attackers to execute arbitrary code by uploading a malicious plugin. This affects all Deskfiler v1.2.3 installations with plugin upload functionality enabled. Attackers can gain complete control of affected systems.

📋 TL;DR

CVE-2024-25291 is a critical remote code execution vulnerability in Deskfiler v1.2.3 that allows attackers to execute arbitrary code by uploading a malicious plugin. This affects all Deskfiler v1.2.3 installations with plugin upload functionality enabled. Attackers can gain complete control of affected systems.

💻 Affected Systems

Products:

Deskfiler

Versions: v1.2.3

Operating Systems: Windows, Linux, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: All installations with plugin upload functionality are vulnerable. The vulnerability exists in the plugin upload mechanism.

📦 What is this software?

Deskfiler by Deskfiler

View all CVEs affecting Deskfiler →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise leading to data theft, ransomware deployment, lateral movement within networks, and persistent backdoor installation.

🟠

Likely Case

Initial access leading to privilege escalation, data exfiltration, and deployment of additional malware payloads.

🟢

If Mitigated

Limited impact with proper network segmentation, application whitelisting, and strict upload controls preventing successful exploitation.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public proof-of-concept code is available on GitHub, making exploitation trivial for attackers. The vulnerability requires no authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Unknown

Restart Required: No

Instructions:

No official patch is available. Consider the following workarounds or discontinue use of Deskfiler v1.2.3.

🔧 Temporary Workarounds

Disable Plugin Uploads

all

Disable the plugin upload functionality in Deskfiler configuration

Edit Deskfiler configuration file to set plugin_upload_enabled = false

Network Segmentation

all

Isolate Deskfiler instances from critical network segments

Configure firewall rules to restrict Deskfiler network access

🧯 If You Can't Patch

Implement strict network access controls to isolate Deskfiler instances
Deploy web application firewall (WAF) rules to block malicious plugin uploads

🔍 How to Verify

Check if Vulnerable:

Check Deskfiler version. If running v1.2.3, the system is vulnerable.

Check Version:

Check Deskfiler about menu or configuration file for version information

Verify Fix Applied:

Verify plugin upload functionality is disabled or Deskfiler is upgraded to a patched version.

📡 Detection & Monitoring

Log Indicators:

Unusual plugin upload attempts
Suspicious file uploads to plugin directory
Execution of unexpected system commands

Network Indicators:

Unusual outbound connections from Deskfiler server
Traffic to known malicious IPs

SIEM Query:

source="deskfiler.log" AND ("plugin upload" OR "file upload") AND status="success"

📊 Metadata

CVE ID: CVE-2024-25291

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-94

Published: February 29, 2024

Last Updated: March 27, 2025

🔗 References

https://github.com/ji-zzang/EQST-PoC/tree/main/2024/RCE/CVE-2024-25291 Exploit,Third Party Advisory
https://github.com/ji-zzang/EQST-PoC/tree/main/2024/RCE/CVE-2024-25291 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-25291, you might also want to check these: