Fortra this week released an update for a critical vulnerability which was initially discovered in August 2023.
Classified as CVE-2024-25153 with a Critical Severity CVSS Score of 9.8, the vulnerability poses a threat to the company’s FileCatalyst file transfer product. This is a type of software that allows “the transfer of large files over remote networks that experience high latency or packet loss,” according to the company.
The vulnerability can be exploited if an unauthenticated threat actor remotely executes arbitrary code on affected servers.
“A directory traversal within the FileCatalyst workflow web portal ‘ftpservlet’ allows you to upload files outside of the intended ‘uploadtemp’ directory with a specially crafted POST request,” Fortra said in its advisory. “In situations where a file is successfully uploaded to the web portal’s DocumentRoot, specially crafted JSP files can be used to execute code, including web shells.”
While Fortra has been aware of the bug since it was reported months ago, it is now issuing a CVE at the request of the person who first reported the vulnerability.
Fortra reports that the products affected by this bug are Fortra FileCatalyst Workflow 5.x software and recommends updating to 5.1.6 Build 114 or later to resolve the issue.