cbcvebase.
CVE-2023-39026
published 2023-08-22

CVE-2023-39026: Directory Traversal vulnerability in FileMage Gateway Windows Deployments v.1.10.8 and before allows a remote attacker to obtain sensitive information via a…

PriorityP276high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
10.56%
95.2th percentile
Directory Traversal vulnerability in FileMage Gateway Windows Deployments v.1.10.8 and before allows a remote attacker to obtain sensitive information via a crafted request to the /mgmt/ component.

Affected

1 ranges
VendorProductVersion rangeFixed in
filemagefilemage<= 1.10.8

Detection & IOCsextracted from sources · hover to see the quote

path/mgmnt/..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cwindows%5cwin.ini
path/mgmnt/..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cprogramdata%5cfilemage%5cgateway%5cconfig.yaml
path/mgmt/
filenameconfig.yaml
  • Detect exploitation attempts by matching HTTP GET requests to the /mgmnt/ path containing URL-encoded backslash traversal sequences (%5c) targeting win.ini or config.yaml
  • A successful exploitation response will be HTTP 200 with Content-Type text/plain and body containing the strings 'bit app support', 'extensions', and 'fonts' (win.ini content)
  • Exploitation of the config.yaml path can be confirmed by checking for the string 'tls' in the response body, indicating the FileMage gateway configuration file was leaked
  • Use Shodan query title:"FileMage" to identify exposed FileMage Gateway instances for proactive detection and asset inventory
  • ·The exploit targets Windows deployments specifically via URL-encoded backslash (%5c) traversal; Linux/non-Windows deployments use forward slashes and may not be vulnerable to this exact payload
  • ·The Exploit-DB PoC targets Azure deployments specifically and versions strictly below 1.10.9; the NVD entry covers v.1.10.8 and before for Windows deployments
  • ·The vulnerable management endpoint is /mgmnt/ (with an extra 'n') in the actual exploit payloads, not /mgmt/ as described in the CVE advisory — detection rules should cover both variants

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.