A critical SQL injection vulnerability in Fortra FileCatalyst Workflow (CVE-2024-5276) has recently been addressed with a patch, although a Proof of Concept (PoC) exploit has already surfaced online. While there have been no reported cases of active exploitation in the wild, enterprise administrators are strongly encouraged to update their installations promptly to mitigate any potential risks.
The vulnerability in question affects the Workflow component of Fortra FileCatalyst, a widely-used enterprise software solution designed for accelerated, UDP-based file transfers of large files. The exploit has the potential to enable attackers to create administrative user accounts, as well as to modify and delete data within the application database. Fortunately, the vulnerability does not appear to allow for the extraction of data from the database.
According to the company’s advisory, successful exploitation of the vulnerability without authentication necessitates the presence of anonymous access enabled on the Workflow system. Alternatively, authenticated user credentials are required for exploitation. The root cause of the vulnerability lies in the inadequacy of the application in validating input, which can be exploited by manipulating input strings to execute unintended SQL statements.
The vulnerability is present in all versions of FileCatalyst Workflow up to and including 5.1.6 Build 135, and has been remedied in the latest version, 5.1.6 Build 139.
The exploit was uncovered by researchers at Tenable, who have released a PoC exploit demonstrating how remote attackers can leverage it to log into a vulnerable FileCatalyst Workflow application, trigger the SQL injection through the JOBID parameter in various URL endpoints, create a new admin user (referred to as “operator”) with the password “password123,” and subsequently gain access as that admin user.
Enterprise file transfer solutions, such as FileCatalyst Workflow, are often prime targets for threat actors seeking to pilfer sensitive corporate data and extort ransom from organizations. In a similar vein, Fortra’s GoAnywhere MFT solution was the subject of a zero-day vulnerability exploit (CVE-2023-0669) by the Cl0P ransomware group in early 2023.
Just three months ago, a PoC exploit for a critical Remote Code Execution (RCE) vulnerability (CVE-2024-25153) in Fortra FileCatalyst Workflow was publicly disclosed, though no instances of exploitation were reported following the release of the exploit code.
Given the prevalence of cyber threats and the potential impact of successful exploits on organizations, it is imperative for enterprises using Fortra FileCatalyst Workflow to apply the necessary security updates promptly and bolster their defenses against malicious actors aiming to exploit such vulnerabilities. Vigilance and proactive measures are crucial in safeguarding against cybersecurity risks in today’s digital landscape.