CVE-2024-23692
Published: 31 May 2024
Summary
CVE-2024-23692 is a critical-severity Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336) vulnerability in Rejetto Http File Server. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SA-22 (Unsupported System Components) and SC-7 (Boundary Protection).
Deeper analysis
Rejetto HTTP File Server versions up to and including 2.3m contain a template injection vulnerability that permits remote code execution. The flaw, tracked as CVE-2024-23692 and assigned CWE-1336 and CWE-94, resides in the server's template handling logic and carries a CVSS 3.1 score of 9.8. The product reached end-of-support status by the time the CVE was assigned, leaving no vendor-provided updates.
An unauthenticated attacker can exploit the issue over the network by submitting a crafted HTTP request that causes the server to evaluate attacker-controlled template content. Successful exploitation grants arbitrary command execution with the privileges of the HFS process, enabling full system compromise without any user interaction or authentication.
Public references, including a Metasploit pull request and technical write-ups from Rapid7 and VulnCheck, document working proof-of-concept code and a ready-to-use module. Because the software is unsupported, the only effective mitigation is to discontinue use of Rejetto HFS 2.3m and migrate to a maintained alternative.
The associated EPSS score has reached a peak of 0.9594 with a current value of 0.9430, indicating sustained exploitation interest following disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-21153
Vulnerability details
Rejetto HTTP File Server, up to and including version 2.3m, is vulnerable to a template injection vulnerability. This vulnerability allows a remote, unauthenticated attacker to execute arbitrary commands on the affected system by sending a specially crafted HTTP request. As…
more
of the CVE assignment date, Rejetto HFS 2.3m is no longer supported.
- CWE(s)
- KEV Date Added
- 09 July 2024
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires replacement of Rejetto HFS 2.3m once vendor support ended, eliminating the unsupported template-injection flaw before exploitation.
Boundary-protection mechanisms (firewalls, allow-lists, segmentation) block unauthenticated network requests to the vulnerable HFS listener, stopping crafted template-injection traffic.
Mandates validation and sanitization of all HTTP input, which would have blocked the template directives that produce arbitrary command execution.