PoC exploit for critical Fortra FileCatalyst flaw published (CVE-2024-5276)
A critical SQL injection vulnerability in Fortra FileCatalyst Workflow (CVE-2024-5276) has been patched; a PoC exploit is already available online.
While there’s currently no reports of in-the-wild exploitation, enterprise admins are advised to patch their installations as soon as possible.
About CVE-2024-5276
Fortra FileCatalyst is an enterprise software solution for accellerated, UDP-based file transfer of large files.
It includes the following components:
- FileCatalyst Direct (a suite of server and client applications for file transfer)
- Workflow (a web portal for sharing and tracking files)
- Central (a web-based tool that allows users to view file transfers in real time)
CVE-2024-5276 affects the Workflow component, and may allow attackers to create administrative user accounts and modify and delete data in the application database – but apparently not to exfiltrate it.
“Successful unauthenticated exploitation requires a Workflow system with anonymous access enabled, otherwise an authenticated user is required,” the company noted.
“SQL Injection results from failure of the application to appropriately validate input. An attacker crafts input strings so that when the target software constructs SQL statements based on the input, the resulting SQL statement performs actions other than those the application intended.”
The vulnerability affects all versions of FileCatalyst Workflow from 5.1.6 Build 135 and earlier, and has been fixed in 5.1.6 build 139.
CVE-2024-5276 PoC
CVE-2024-5276 was discovered by Tenable researchers, who published a PoC exploit that allows anonymous remote attackers to:
- Log into a vulnerable FileCatalyst Workflow application
- Trigger the SQL injection via the JOBID parameter in various URL endpoints
- Create a new admin user (operator) with password123 as the password
- Log in as that admin user
Enterprise file transfer solutions are often targeted by threat actors, who are keen on stealing companies’ sensitive information and hold it for ransom.
In early 2023, Fortra’s GoAnywhere MFT solution was targeted via a zero-day vulnerability (CVE-2023-0669) by the Cl0P ransomware gang.
Three months ago, PoC exploit code for a critical RCE vulnerability (CVE-2024-25153) in Fortra FileCatalyst Workflow was also made public, but no exploitation attemps followed.