CVE-2025-8450
📋 TL;DR
An improper access control vulnerability in Fortra's FileCatalyst Workflow component allows unauthenticated attackers to upload arbitrary files via the order forms page. This affects organizations using vulnerable versions of FileCatalyst Workflow, potentially leading to remote code execution or system compromise.
💻 Affected Systems
- Fortra FileCatalyst Workflow
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, data exfiltration, ransomware deployment, or lateral movement within the network.
Likely Case
Arbitrary file upload leading to web shell deployment, data manipulation, or denial of service through disk space exhaustion.
If Mitigated
Limited impact if proper network segmentation, web application firewalls, and file upload validation are in place.
🎯 Exploit Status
Unauthenticated exploitation via HTTP requests to the vulnerable endpoint. No authentication required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: FileCatalyst Workflow 5.1.6 Build 114
Vendor Advisory: https://www.fortra.com/security/advisories/product-security/fi-2025-010
Restart Required: Yes
Instructions:
1. Download FileCatalyst Workflow 5.1.6 Build 114 from Fortra support portal. 2. Backup current installation and configuration. 3. Stop FileCatalyst Workflow service. 4. Install the update following vendor instructions. 5. Restart the service and verify functionality.
🔧 Temporary Workarounds
Network Access Restriction
allRestrict network access to FileCatalyst Workflow order forms page using firewall rules or network segmentation.
Web Application Firewall Rules
allImplement WAF rules to block unauthenticated file upload requests to the vulnerable endpoint.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate FileCatalyst Workflow from critical systems
- Deploy a web application firewall with rules specifically blocking unauthenticated upload requests to the order forms endpoint
🔍 How to Verify
Check if Vulnerable:
Check FileCatalyst Workflow version via admin interface or configuration files. If version is earlier than 5.1.6 Build 114, system is vulnerable.Check Version:
Check web interface or configuration files for version information. No universal command available.Verify Fix Applied:
Verify version is 5.1.6 Build 114 or later in admin interface. Test that unauthenticated file uploads to order forms page are properly rejected.📡 Detection & Monitoring
Log Indicators:
- Unauthenticated POST requests to order forms upload endpoints
- Unexpected file uploads from unauthenticated sources
- Large file uploads from unknown IP addresses
Network Indicators:
- HTTP POST requests to /orderforms/* upload endpoints without authentication headers
- Unusual file upload traffic patterns
SIEM Query:
source="filecatalyst.log" AND (uri_path="/orderforms/" AND http_method="POST") AND NOT (user_agent="authenticated" OR auth_token=*)