CVE-2024-44849
📋 TL;DR
Qualitor up to version 8.24 is vulnerable to remote code execution via arbitrary file upload in the checkAcesso.php endpoint. Attackers can upload malicious files to execute arbitrary code on affected systems. All organizations running vulnerable Qualitor versions are affected.
💻 Affected Systems
- Qualitor
📦 What is this software?
Qualitor by Qualitor
Qualitor by Qualitor
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise allowing attackers to execute arbitrary commands, steal sensitive data, deploy ransomware, or pivot to other network systems.
Likely Case
Attackers gain initial foothold on the server, install backdoors, exfiltrate data, and potentially move laterally within the network.
If Mitigated
Attack is blocked at perimeter, file uploads are properly validated, and execution is prevented through security controls.
🎯 Exploit Status
Public proof-of-concept code is available, making exploitation straightforward for attackers.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 8.25 or later
Vendor Advisory: https://www.qualitor.com.br/official-security-advisory-cve-2024-44849
Restart Required: No
Instructions:
1. Download the latest version from Qualitor official sources. 2. Backup current installation. 3. Apply the update following vendor instructions. 4. Verify the fix by checking version number.
🔧 Temporary Workarounds
Block access to checkAcesso.php
allTemporarily block or restrict access to the vulnerable endpoint
# Web server configuration to block checkAcesso.php
# For Apache: add to .htaccess: RewriteRule ^checkAcesso\.php$ - [F,L]
# For Nginx: location ~ /checkAcesso\.php$ { deny all; }
Implement file upload restrictions
allConfigure web server to restrict file uploads to specific extensions
# Example Apache configuration
<FilesMatch "\.(php|phtml|phar|php[0-9]+)$">
Deny from all
</FilesMatch>
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Qualitor systems
- Deploy web application firewall with rules to block malicious file uploads
🔍 How to Verify
Check if Vulnerable:
Check Qualitor version number in admin interface or configuration files. If version is 8.24 or earlier, system is vulnerable.Check Version:
Check Qualitor admin panel or configuration files for version informationVerify Fix Applied:
Verify version is 8.25 or later. Test file upload functionality with malicious files to ensure they are rejected.📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads to checkAcesso.php
- Multiple failed upload attempts
- Execution of unexpected PHP files
Network Indicators:
- POST requests to checkAcesso.php with file uploads
- Outbound connections from Qualitor server to unknown IPs
SIEM Query:
source="web_server" AND (uri="/checkAcesso.php" OR file_upload="true")