Initiatives for
As the national authority for Cybersecurity the CCB has developed several initiatives for specific publics which are presented here.
WARNING: CRITICAL RCE VULNERABILITY IN FORTRA FILECATALYST WORKFLOW, PATCH IMMEDIATELY!
Image
Published : 14/03/2024
Reference:
Advisory #2024-42
Version:
1.0
Affected software:
Fortra FileCatalyst Workflow 5.x before 5.1.6 Build 114
Type:
Remote Code Execution
CVE/CVSS:
CVE-2024-25153
CVSS 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Sources
Risks
Fortra FileCatalyst Workflow, an enterprise file transfer solution, is at high risk due to the newly disclosed remote code execution (RCE) vulnerability, CVE-2024-25153.
Successful exploitation of this vulnerability could give an remote unauthenticated attacker full control of affected servers and would highly affect the availability, confidentiality, and integrity.
There is no available information yet about the vulnerability being exploited in the wild by threat actors, but a PoC was released, thus increasing the risks of future exploitation by cyber threat actors.
Another vulnerability affecting Fortra GoAnywhere MFT file transfer software that was disclosed in January 2024 was observed as being exploited by threat actors.
A compromise of Fortra FileCatalyst Workflow could allow attackers to:
- Exfiltrate Sensitive Data: Gain access to confidential files or steal credentials stored on the server or those in transit during file transfers.
- Establish a Foothold: Use the compromised FileCatalyst server as a pivot point to launch attacks against other internal systems.
- Cripple Operations: Disrupt essential business operations that rely on secure file transfers, potentially deploying ransomware or other destructive payloads.
Description
CVE-2024-25153 lies within the web portal component of FileCatalyst Workflow. Attackers can exploit a directory traversal within the ‘ftpservlet’ of the FileCatalyst Workflow Web Portal to uploaded files outside of the intended ‘uploadtemp’ directory with a specially crafted POST request.
In situations where a file is successfully uploaded to web portal’s DocumentRoot, specially crafted JSP files could be used to execute code, including web shells.
The affected version are: Fortra FileCatalyst Workflow 5.x before 5.1.6 Build 114
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.
The users should urgently upgrade to FileCatalyst 5.1.6 Build 114 or higher.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://ccb.belgium.be/cert/report-incident
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.