CVE-2024-35527
📋 TL;DR
This vulnerability allows attackers to upload malicious .cfm files to FarCry Core framework servers, leading to remote code execution. It affects all FarCry Core installations before version 7.2.14 that have the vulnerable file upload endpoint accessible.
💻 Affected Systems
- Daemon PTY Limited FarCry Core framework
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining full control over the web server, allowing data theft, lateral movement, and persistent backdoor installation.
Likely Case
Web server compromise leading to defacement, data exfiltration, or deployment of web shells for ongoing access.
If Mitigated
Attack blocked at perimeter with file upload restrictions, resulting in failed exploitation attempts.
🎯 Exploit Status
Simple file upload exploitation with no authentication required makes this highly exploitable.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.2.14
Vendor Advisory: https://bastionsecurity.co.nz/advisories/farcry-core-multiple.html
Restart Required: Yes
Instructions:
1. Backup current installation. 2. Download FarCry Core 7.2.14 or later. 3. Replace vulnerable files with patched versions. 4. Restart web server and application services.
🔧 Temporary Workarounds
Block File Upload Endpoint
allRestrict access to the vulnerable upload endpoint using web server configuration.
# Apache: RewriteRule ^/fileupload/upload\.cfm$ - [F]
# Nginx: location ~ ^/fileupload/upload\.cfm$ { return 403; }
File Extension Restriction
allConfigure web server to block .cfm file uploads at the vulnerable endpoint.
# Apache: <Location "/fileupload/upload.cfm">
SetEnvIf Request_URI ".*\.cfm$" block_cfm
Deny from env=block_cfm
</Location>
🧯 If You Can't Patch
- Implement strict file upload validation to reject .cfm files and other executable formats.
- Deploy WAF rules to block malicious file upload attempts targeting the vulnerable endpoint.
🔍 How to Verify
Check if Vulnerable:
Check if FarCry Core version is below 7.2.14 and if /fileupload/upload.cfm endpoint accepts .cfm file uploads.Check Version:
Check FarCry Core configuration files or admin interface for version information.Verify Fix Applied:
Verify version is 7.2.14 or higher and test that .cfm file uploads to the endpoint are properly rejected.📡 Detection & Monitoring
Log Indicators:
- HTTP POST requests to /fileupload/upload.cfm with .cfm file uploads
- Unusual file creation in web directories
- ColdFusion error logs showing file upload attempts
Network Indicators:
- POST requests to vulnerable endpoint with file upload content
- Unusual outbound connections from web server post-upload
SIEM Query:
source="web_server_logs" AND uri="/fileupload/upload.cfm" AND method="POST" AND (file_extension=".cfm" OR content_type="application/x-coldfusion")