Fortra Releases Update on Critical Severity RCE Flaw

Fortra this week released an update for a critical vulnerability that was initially discovered in August 2023.

Tracked as CVE-2024-25153 with a critical severity CVSS score of 9.8, the vulnerability poses a threat to the company's FileCatalyst file transfer product. It's a type of software that allows for "the transfer of large files over remote networks experiencing high latency or packet loss," according to the company. 

The vulnerability can be exploited if an unauthenticated threat actor executes arbitrary code remotely on affected servers.

"A directory traversal within the 'ftpservlet' of the FileCatalyst Workflow Web Portal allows files to be uploaded outside of the intended 'uploadtemp' directory with a specially crafted POST request," Fortra said in its advisory. "In situations where a file is successfully uploaded to web portal's DocumentRoot, specially crafted JSP files could be used to execute code, including web shells."

Though Fortra has been aware of the bug since it was initially reported months ago, it is issuing a CVE now at the request of the individual who reported the vulnerability in the first place.

Fortra reports that products that are affected by this bug are its Fortra FileCatalyst Workflow 5.x software, and it recommends upgrading to the 5.1.6 Build 114 or higher to remediate the issue.