cbcvebase.
CVE-2024-25153
published 2024-03-13

CVE-2024-25153: A directory traversal within the ‘ftpservlet’ of the FileCatalyst Workflow Web Portal allows files to be uploaded outside of the intended ‘uploadtemp’…

PriorityP272critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
41.74%
98.5th percentile
A directory traversal within the ‘ftpservlet’ of the FileCatalyst Workflow Web Portal allows files to be uploaded outside of the intended ‘uploadtemp’ directory with a specially crafted POST request. In situations where a file is successfully uploaded to web portal’s DocumentRoot, specially crafted JSP files could be used to execute code, including web shells.

Affected

3 ranges
VendorProductVersion rangeFixed in
fortrafilecatalyst>= 5.1.4 < 5.1.65.1.6
fortrafilecatalyst_workflow
fortrafilecatalyst_workflow>= 5.0 < 5.1.65.1.6

Detection & IOCsextracted from sources · hover to see the quote

url/servlet/ftpservlet
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Fortra FileCatalyst Workflow 5.x Arbitrary File Upload (CVE-2024-25153)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/servlet/ftpservlet"; fast_pattern; content:"sid|3d|"; pcre:"/^[^&]*?(?:(?:\x2e|%2[Ee]){1,2}(?:\x2f|\x5c|%5[Cc]|%2[Ff]){1,}){2,}/R"; http.header; to_lowercase; content:"x-file-name|3a 20|"; reference:url,labs.nettitude.com/blog/cve-2024-25153-remote-code-execution-in-fortra-filecatalyst/; reference:cve,2024-25153; classtype:web-application-attack; sid:2056390; rev:1; metadata:affected_product Fortra_FileCatalyst, attack_target Server, tls_state TLSDecrypt, created_at 2024_10_02, cve CVE_2024_25153, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2024_10_02, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Look for HTTP POST requests to /servlet/ftpservlet containing directory traversal sequences in the URI — encoded dots (%2e) and slashes (%2f, %5c) — combined with the 'sid=' parameter and an 'x-file-name' header, indicating an attempted path traversal file upload.
  • Alert on URL-encoded traversal variants in the ftpservlet URI: both double-dot forms (.. and %2e%2e) combined with forward/back slash encodings (%2f, %5c, \) appearing two or more times consecutively.
  • ·The Snort/Suricata rule (sid:2056390) requires TLS decryption to be effective against HTTPS traffic, as indicated by the deployment metadata.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.