CVE-2024-25153
published 2024-03-13CVE-2024-25153: A directory traversal within the ‘ftpservlet’ of the FileCatalyst Workflow Web Portal allows files to be uploaded outside of the intended ‘uploadtemp’…
PriorityP272critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
41.74%
98.5th percentile
A directory traversal within the ‘ftpservlet’ of the FileCatalyst Workflow Web Portal allows files to be uploaded outside of the intended ‘uploadtemp’ directory with a specially crafted POST request. In situations where a file is successfully uploaded to web portal’s DocumentRoot, specially crafted JSP files could be used to execute code, including web shells.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| fortra | filecatalyst | >= 5.1.4 < 5.1.6 | 5.1.6 |
| fortra | filecatalyst_workflow | — | — |
| fortra | filecatalyst_workflow | >= 5.0 < 5.1.6 | 5.1.6 |
Detection & IOCsextracted from sources · hover to see the quote
url/servlet/ftpservlet
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Fortra FileCatalyst Workflow 5.x Arbitrary File Upload (CVE-2024-25153)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/servlet/ftpservlet"; fast_pattern; content:"sid|3d|"; pcre:"/^[^&]*?(?:(?:\x2e|%2[Ee]){1,2}(?:\x2f|\x5c|%5[Cc]|%2[Ff]){1,}){2,}/R"; http.header; to_lowercase; content:"x-file-name|3a 20|"; reference:url,labs.nettitude.com/blog/cve-2024-25153-remote-code-execution-in-fortra-filecatalyst/; reference:cve,2024-25153; classtype:web-application-attack; sid:2056390; rev:1; metadata:affected_product Fortra_FileCatalyst, attack_target Server, tls_state TLSDecrypt, created_at 2024_10_02, cve CVE_2024_25153, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2024_10_02, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)- →Look for HTTP POST requests to /servlet/ftpservlet containing directory traversal sequences in the URI — encoded dots (%2e) and slashes (%2f, %5c) — combined with the 'sid=' parameter and an 'x-file-name' header, indicating an attempted path traversal file upload.
- →Alert on URL-encoded traversal variants in the ftpservlet URI: both double-dot forms (.. and %2e%2e) combined with forward/back slash encodings (%2f, %5c, \) appearing two or more times consecutively.
- ·The Snort/Suricata rule (sid:2056390) requires TLS decryption to be effective against HTTPS traffic, as indicated by the deployment metadata.
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS Fortra FileCatalyst Workflow 5.x Arbitrary File Upload (CVE-2024-25153)
suricata·2024-10-02·CVSS 9.8
CVE-2024-25153 [CRITICAL] ET WEB_SPECIFIC_APPS Fortra FileCatalyst Workflow 5.x Arbitrary File Upload (CVE-2024-25153)
ET WEB_SPECIFIC_APPS Fortra FileCatalyst Workflow 5.x Arbitrary File Upload (CVE-2024-25153)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Fortra FileCatalyst Workflow 5.x Arbitrary File Upload (CVE-2024-25153)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/servlet/ftpservlet"; fast_pattern; content:"sid|3d|"; pcre:"/^[^&]*?(?:(?:\x2e|%2[Ee]){1,2}(?:\x2f|\x5c|%5[Cc]|%2[Ff]){1,}){2,}/R"; http.header; to_lowercase; content:"x-file-name|3a 20|"; reference:url,labs.nettitude.com/blog/cve-2024-25153-remote-code-execution-in-fortra-filecatalyst/; reference:cve,2024-25153; classtype:web-application-attack; sid:2056390; rev:1; metadata:affected_product Fortra_FileCatalyst, attack_target Server, tls_state TLSDecrypt, created_at 2024_10_02, cve
No public exploits indexed.
No writeups or analysis indexed.
https://filecatalyst.software/public/filecatalyst/Workflow/5.1.6.114/fcweb_releasenotes.htmlhttps://www.fortra.com/security/advisory/fi-2024-002https://filecatalyst.software/public/filecatalyst/Workflow/5.1.6.114/fcweb_releasenotes.htmlhttps://www.fortra.com/security/advisory/fi-2024-002https://github.com/nettitude/CVE-2024-25153/blob/master/CVE-2024-25153.py
2024-03-13
Published