Cyber Resilience

CVE-2024-5276

CriticalPublic PoC

Published: 25 June 2024

Published
25 June 2024
Modified
04 April 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.8742 99.5th percentile
Risk Priority 72 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-5276 is a critical-severity Improper Input Validation (CWE-20) vulnerability in Fortra Filecatalyst Workflow. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2024-5276 is a SQL injection vulnerability in Fortra FileCatalyst Workflow that permits an attacker to modify application data, including creation of administrative users and deletion or modification of database records. Data exfiltration is not possible via this flaw. It affects all versions of FileCatalyst Workflow up to and including 5.1.6 Build 135 and is tracked under CWE-20 and CWE-89 with a CVSS 3.1 score of 9.8.

Successful exploitation can be performed unauthenticated when anonymous access is enabled on the Workflow system; otherwise an authenticated user account is required. An attacker reaching the vulnerable component can achieve high-impact changes to the application database without needing user interaction.

Fortra has published security advisories (FI-2024-008) and knowledge-base articles detailing the issue, along with Tenable research (TRA-2024-25) that reference the affected builds and remediation guidance.

The EPSS score for this CVE stands at 0.8742 with no material rise from a lower baseline.

EU & UK References

Vulnerability details

A SQL Injection vulnerability in Fortra FileCatalyst Workflow allows an attacker to modify application data. Likely impacts include creation of administrative users and deletion or modification of data in the application database. Data exfiltration via SQL injection is not possible…

more

using this vulnerability. Successful unauthenticated exploitation requires a Workflow system with anonymous access enabled, otherwise an authenticated user is required. This issue affects all versions of FileCatalyst Workflow from 5.1.6 Build 135 and earlier.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1136.001 Local Account Persistence
Adversaries may create a local account to maintain access to victim systems.
T1565.001 Stored Data Manipulation Impact
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
Why these techniques?

Unauthenticated SQL injection in public-facing FileCatalyst Workflow enables initial access via exploitation (T1190), creation of administrative accounts (T1136.001), and modification/deletion of stored database data (T1565.001).

Affected Assets

fortra
filecatalyst workflow
5.1.6 · ≤ 5.1.6

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-20 CWE-89

Directly implements checks on information inputs to reject invalid data before processing.

addresses: CWE-89

Penetration testing uses SQL injection payloads against database interfaces, identifying and supporting fixes for SQL injection weaknesses.

addresses: CWE-20

Security testing and developer training directly verify and enforce proper input validation, reducing exploitability of injection and malformed-data weaknesses.

addresses: CWE-20

Security testing and evaluation at multiple SDLC stages directly detects missing or flawed input validation, with the required remediation process ensuring fixes are applied.

addresses: CWE-20

Spam protection mechanisms perform filtering and detection on inbound/outbound messages, directly compensating for missing or weak input validation of unsolicited content.

References