CVE-2024-5276
published 2024-06-25CVE-2024-5276: A SQL Injection vulnerability in Fortra FileCatalyst Workflow allows an attacker to modify application data. Likely impacts include creation of administrative…
PriorityP187critical9.1CVSS 3.1
AVNACLPRNUINSUCNIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
90.07%
99.8th percentile
A SQL Injection vulnerability in Fortra FileCatalyst Workflow allows an attacker to modify application data. Likely impacts include creation of administrative users and deletion or modification of data in the application database. Data exfiltration via SQL injection is not possible using this vulnerability. Successful unauthenticated exploitation requires a Workflow system with anonymous access enabled, otherwise an authenticated user is required. This issue affects all versions of FileCatalyst Workflow from 5.1.6 Build 135 and earlier.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| fortra | filecatalyst_workflow | < 5.1.6 | 5.1.6 |
| fortra | filecatalyst_workflow | — | — |
| fortra | filecatalyst_workflow | — | — |
Detection & IOCsextracted from sources · hover to see the quote
otherJOBID=
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Fortra FileCatalyst Workflow Unauthenticated SQLi (CVE-2024-5276)"; flow:established, to_server; http.method; content:"GET"; http.uri; content:"JOBID|3d|"; fast_pattern; nocase; pcre:"/^.*?(?:(?:S(?:HOW\x20(?:C(?:UR(?:DAT|TIM)E|HARACTER\x20SET)|(?:VARI|T)ABLES)|ELECT\x20(?:FROM|USER))|U(?:NION\x20SELEC|PDATE\x20SE)T|DELETE\x20FROM|INSERT\x20INTO)|S(?:HOW.+(?:C(?:HARACTER.+SET|UR(DATE|TIME))|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER))|U(?:NION.+SELEC|PDATE.+SE)T|DELETE.+FROM|INSERT.+INTO|\x2f\*.+\*\x2f)/Ri"; reference:url,www.tenable.com/security/research/tra-2024-25; reference:cve,2024-5276; classtype:web-application-attack; sid:2057747; rev:2; metadata:affected_product Fortra_FileCatalyst, attack_target Server, tls_state TLSDecrypt, created_at 2024_11_21, cve CVE_2024_5276, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2024_11_25, reviewed_at 2025_08_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →The Metasploit module exploits the vulnerability by adding a new administrative user to the web interface. Post-exploitation, monitor for unexpected new administrative user accounts created in the FileCatalyst Workflow application database.
- →Unauthenticated exploitation is only possible when anonymous access is enabled on the Workflow system. Authenticated exploitation is possible regardless. Audit FileCatalyst Workflow instances for anonymous access configuration.
- →The Nuclei template extracts credentials (username/password) from the vulnerable endpoint. Monitor for automated scanning activity targeting FileCatalyst Workflow that outputs USER and PASS fields.
- →The Snort rule is tagged for TLS-decrypted traffic (tls_state TLSDecrypt / deployment SSLDecrypt), meaning detection requires SSL inspection on perimeter and internal sensors.
- ·All versions of FileCatalyst Workflow from 5.1.6 Build 135 and earlier are affected. Patch or upgrade beyond this build to remediate.
- ·Data exfiltration via SQL injection is explicitly NOT possible with this vulnerability; the primary risk is data modification and creation of administrative users.
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-mgcv-6r68-pw73: A SQL Injection vulnerability in Fortra FileCatalyst Workflow allows an attacker to modify application data
ghsa_unreviewed·2024-06-25
CVE-2024-5276 [CRITICAL] CWE-20 GHSA-mgcv-6r68-pw73: A SQL Injection vulnerability in Fortra FileCatalyst Workflow allows an attacker to modify application data
A SQL Injection vulnerability in Fortra FileCatalyst Workflow allows an attacker to modify application data. Likely impacts include creation of administrative users and deletion or modification of data in the application database. Data exfiltration via SQL injection is not possible using this vulnerability. Successful unauthenticated exploitation requires a Workflow system with anonymous access enabled, otherwise an authenticated user is required. This issue affects all versions of FileCatalyst Workflow from 5.1.6 Build 135 and earlier.
VulnCheck
Fortra filecatalyst_workflow Improper Input Validation
vulncheck·2024·CVSS 9.8
CVE-2024-5276 [CRITICAL] Fortra filecatalyst_workflow Improper Input Validation
Fortra filecatalyst_workflow Improper Input Validation
A SQL Injection vulnerability in Fortra FileCatalyst Workflow allows an attacker to modify application data. Likely impacts include creation of administrative users and deletion or modification of data in the application database. Data exfiltration via SQL injection is not possible using this vulnerability. Successful unauthenticated exploitation requires a Workflow system with anonymous access enabled, otherwise an authenticated user is required. This issue affects all versions of FileCatalyst Workflow from 5.1.6 Build 135 and earlier.
Affected: Fortra filecatalyst_workflow
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exp
Suricata
ET WEB_SPECIFIC_APPS Fortra FileCatalyst Workflow Unauthenticated SQLi (CVE-2024-5276)
suricata·2024-11-21·CVSS 9.8
CVE-2024-5276 [CRITICAL] ET WEB_SPECIFIC_APPS Fortra FileCatalyst Workflow Unauthenticated SQLi (CVE-2024-5276)
ET WEB_SPECIFIC_APPS Fortra FileCatalyst Workflow Unauthenticated SQLi (CVE-2024-5276)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Fortra FileCatalyst Workflow Unauthenticated SQLi (CVE-2024-5276)"; flow:established, to_server; http.method; content:"GET"; http.uri; content:"JOBID|3d|"; fast_pattern; nocase; pcre:"/^.*?(?:(?:S(?:HOW\x20(?:C(?:UR(?:DAT|TIM)E|HARACTER\x20SET)|(?:VARI|T)ABLES)|ELECT\x20(?:FROM|USER))|U(?:NION\x20SELEC|PDATE\x20SE)T|DELETE\x20FROM|INSERT\x20INTO)|S(?:HOW.+(?:C(?:HARACTER.+SET|UR(DATE|TIME))|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER))|U(?:NION.+SELEC|PDATE.+SE)T|DELETE.+FROM|INSERT.+INTO|\x2f\*.+\*\x2f)/Ri"; reference:url,www.tenable.com/security/research/tra-2024-25; reference:cve,2024-5276; classtype:web-application-attack; sid:2057747; re
Metasploit
Fortra FileCatalyst Workflow SQL Injection (CVE-2024-5276)
metasploit·CVSS 9.1
CVE-2024-5276 [CRITICAL] Fortra FileCatalyst Workflow SQL Injection (CVE-2024-5276)
Fortra FileCatalyst Workflow SQL Injection (CVE-2024-5276)
This module exploits a SQL injection vulnerability in Fortra FileCatalyst Workflow <= v5.1.6 Build 135, by adding a new administrative user to the web interface of the application.
Nuclei
Fortra FileCatalyst Workflow <= v5.1.6 - SQL Injection
nuclei·CVSS 9.1
CVE-2024-5276 [CRITICAL] Fortra FileCatalyst Workflow <= v5.1.6 - SQL Injection
Fortra FileCatalyst Workflow FileCatalyst Workflow Administration'
- '{{to_lower(username)}}'
condition: and
extractors:
- type: dsl
dsl:
- '"USER: "+ username'
- '"PASS: "+ password'
# digest: 490a0046304402207746920759ccee4224531f40504e85cc463626753ef86c475e2d41c99539b73802204afe3d967c6ee909de5d55e1435a7e103a8f8b346b48a0cd3dd096522e06fabe:922c64590222798bb761d5b6d8e72950
https://support.fortra.com/filecatalyst/kb-articles/advisory-6-24-2024-filecatalyst-workflow-sql-injection-vulnerability-YmYwYWY4OTYtNTUzMi1lZjExLTg0MGEtNjA0NWJkMDg3MDA0https://www.fortra.com/security/advisory/fi-2024-008https://www.tenable.com/security/research/tra-2024-25https://support.fortra.com/filecatalyst/kb-articles/advisory-6-24-2024-filecatalyst-workflow-sql-injection-vulnerability-YmYwYWY4OTYtNTUzMi1lZjExLTg0MGEtNjA0NWJkMDg3MDA0https://www.fortra.com/security/advisory/fi-2024-008https://www.tenable.com/security/research/tra-2024-25
2024-06-25
Published
Exploited in the wild