CVE-2024-25153
Published: 13 March 2024
Summary
CVE-2024-25153 is a critical-severity External Control of Assumed-Immutable Web Parameter (CWE-472) vulnerability in Fortra Filecatalyst Workflow. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
A directory traversal vulnerability exists in the ftpservlet component of the FileCatalyst Workflow Web Portal. The flaw permits an attacker to supply a specially crafted POST request that writes uploaded files outside the intended uploadtemp directory and potentially into the web portal’s DocumentRoot. The issue is tracked as CVE-2024-25153, carries a CVSS v3.1 score of 9.8, and is associated with CWE-472 and CWE-668.
An unauthenticated remote attacker can exploit the weakness over the network to place arbitrary files, including malicious JSP payloads, on the server. Successful placement in the DocumentRoot enables execution of the uploaded content, resulting in full code execution such as deployment of web shells and subsequent compromise of the host.
Vendor advisories from Fortra (FI-2024-002) and the FileCatalyst release notes for Workflow 5.1.6.114 describe the corrected build and recommend upgrading the Web Portal to that version to eliminate the traversal flaw.
A publicly available proof-of-concept script has been published on GitHub. The EPSS score for the CVE currently stands at 0.8222 with an identical recorded peak, indicating sustained rather than emerging exploitation interest.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-22491
Vulnerability details
A directory traversal within the ‘ftpservlet’ of the FileCatalyst Workflow Web Portal allows files to be uploaded outside of the intended ‘uploadtemp’ directory with a specially crafted POST request. In situations where a file is successfully uploaded to web portal’s…
more
DocumentRoot, specially crafted JSP files could be used to execute code, including web shells.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Controls whether organization resources are exposed to external system spheres by permitting or prohibiting their use.
The control ensures information is not released into a security sphere where the recipient lacks matching access authorizations.
The control ensures information resources are not exposed to the incorrect (public) sphere through review and authorization.
Protects against data mining that would expose resources to unauthorized spheres by enforcing detection and controls.
Restricts information flows to ensure resources are not exposed to incorrect or unauthorized spheres.
Controlling internal connections prevents exposure of resources to unintended internal spheres.
Knowing exact processing and storage locations helps avoid exposure of resources to incorrect spheres.
The control prevents exposure of the media resource to the wrong security sphere.