Cyber Resilience

CVE-2024-23692

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRCE

Published: 31 May 2024

Published
31 May 2024
Modified
31 October 2025
KEV Added
09 July 2024
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9430 99.9th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-23692 is a critical-severity Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336) vulnerability in Rejetto Http File Server. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SA-22 (Unsupported System Components) and SC-7 (Boundary Protection).

Deeper analysis

Rejetto HTTP File Server versions up to and including 2.3m contain a template injection vulnerability that permits remote code execution. The flaw, tracked as CVE-2024-23692 and assigned CWE-1336 and CWE-94, resides in the server's template handling logic and carries a CVSS 3.1 score of 9.8. The product reached end-of-support status by the time the CVE was assigned, leaving no vendor-provided updates.

An unauthenticated attacker can exploit the issue over the network by submitting a crafted HTTP request that causes the server to evaluate attacker-controlled template content. Successful exploitation grants arbitrary command execution with the privileges of the HFS process, enabling full system compromise without any user interaction or authentication.

Public references, including a Metasploit pull request and technical write-ups from Rapid7 and VulnCheck, document working proof-of-concept code and a ready-to-use module. Because the software is unsupported, the only effective mitigation is to discontinue use of Rejetto HFS 2.3m and migrate to a maintained alternative.

The associated EPSS score has reached a peak of 0.9594 with a current value of 0.9430, indicating sustained exploitation interest following disclosure.

EU & UK References

Vulnerability details

Rejetto HTTP File Server, up to and including version 2.3m, is vulnerable to a template injection vulnerability. This vulnerability allows a remote, unauthenticated attacker to execute arbitrary commands on the affected system by sending a specially crafted HTTP request. As…

more

of the CVE assignment date, Rejetto HFS 2.3m is no longer supported.

CWE(s)
KEV Date Added
09 July 2024

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

rejetto
http file server
≤ 2.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires replacement of Rejetto HFS 2.3m once vendor support ended, eliminating the unsupported template-injection flaw before exploitation.

prevent

Boundary-protection mechanisms (firewalls, allow-lists, segmentation) block unauthenticated network requests to the vulnerable HFS listener, stopping crafted template-injection traffic.

prevent

Mandates validation and sanitization of all HTTP input, which would have blocked the template directives that produce arbitrary command execution.

References