Fortra Releases Update on Critical Severity RCE Flaw

The flaw has a CVSS rating of 9.8, and the company recommends product upgrades to fix the issue.

Dark Reading Staff, Dark Reading

March 19, 2024

1 Min Read
A bunch of binary code in red, orange, and blue
Source: ktdesign via Adobe Stock

Fortra this week released an update for a critical vulnerability that was initially discovered in August 2023.

Tracked as CVE-2024-25153 with a critical severity CVSS score of 9.8, the vulnerability poses a threat to the company's FileCatalyst file transfer product. It's a type of software that allows for "the transfer of large files over remote networks experiencing high latency or packet loss," according to the company. 

The vulnerability can be exploited if an unauthenticated threat actor executes arbitrary code remotely on affected servers.

"A directory traversal within the 'ftpservlet' of the FileCatalyst Workflow Web Portal allows files to be uploaded outside of the intended 'uploadtemp' directory with a specially crafted POST request," Fortra said in its advisory. "In situations where a file is successfully uploaded to web portal's DocumentRoot, specially crafted JSP files could be used to execute code, including web shells."

Though Fortra has been aware of the bug since it was initially reported months ago, it is issuing a CVE now at the request of the individual who reported the vulnerability in the first place.

Fortra reports that products that are affected by this bug are its Fortra FileCatalyst Workflow 5.x software, and it recommends upgrading to the 5.1.6 Build 114 or higher to remediate the issue.

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights