CVE-2024-23692 Overview
CVE-2024-23692 is a critical template injection vulnerability affecting Rejetto HTTP File Server (HFS) up to and including version 2.3m. This vulnerability enables a remote, unauthenticated attacker to execute arbitrary commands on the affected system by sending a specially crafted HTTP request. The affected software version (HFS 2.3m) is no longer supported by the vendor, making this vulnerability particularly dangerous for organizations still running legacy installations.
Critical Impact
This vulnerability is actively exploited in the wild and has been added to the CISA Known Exploited Vulnerabilities (KEV) catalog. Unauthenticated attackers can achieve complete system compromise through remote code execution without any user interaction.
Affected Products
- Rejetto HTTP File Server versions up to and including 2.3m
- All platforms running the affected HFS versions
- Systems where HFS is exposed to untrusted networks
Discovery Timeline
- 2024-05-31 - CVE-2024-23692 published to NVD
- 2025-10-31 - Last updated in NVD database
Technical Details for CVE-2024-23692
Vulnerability Analysis
This vulnerability stems from improper handling of user-supplied input within the template processing mechanism of Rejetto HFS. The application utilizes a custom template engine that processes requests without adequate sanitization, allowing attackers to inject malicious template expressions that are subsequently evaluated by the server. When exploited, these injected templates can execute arbitrary system commands with the privileges of the HFS process.
The vulnerability is classified under CWE-1336 (Improper Neutralization of Special Elements Used in a Template Engine) and CWE-94 (Improper Control of Generation of Code - Code Injection). The attack requires no authentication and can be executed remotely over the network, making internet-facing HFS installations extremely vulnerable.
Root Cause
The root cause of CVE-2024-23692 lies in insufficient input validation within the HFS template engine. The application fails to properly sanitize or restrict user-controlled data before processing it through the template system. Template expressions embedded in HTTP requests are interpreted and executed by the server, allowing attackers to escape the intended template context and inject arbitrary code. This design flaw essentially treats untrusted user input as trusted template code.
Attack Vector
The attack vector for this vulnerability is network-based, requiring no privileges or user interaction. An attacker can craft malicious HTTP requests containing template injection payloads directed at a vulnerable HFS instance. When the server processes these requests, the injected template code is executed, enabling command execution on the underlying operating system.
The exploitation process typically involves:
- Identifying an exposed Rejetto HFS instance running version 2.3m or earlier
- Crafting HTTP requests with malicious template expressions
- Sending the payload to trigger template evaluation
- Achieving remote command execution on the target system
A Metasploit module has been developed and integrated into the framework, significantly lowering the barrier for exploitation. Technical details and analysis are available from Mohemiv's RCE Analysis and the VulnCheck Advisory.
Detection Methods for CVE-2024-23692
Indicators of Compromise
- Unusual HTTP requests to HFS instances containing encoded or special characters in URL parameters
- Unexpected child processes spawned by the HFS executable (e.g., cmd.exe, powershell.exe, or shell processes)
- Network connections from HFS to external IP addresses not associated with normal file transfer operations
- Evidence of reconnaissance commands (whoami, systeminfo, ipconfig) in process logs
Detection Strategies
- Implement network intrusion detection rules to identify HTTP requests containing template injection patterns targeting HFS
- Monitor for suspicious process execution chains where HFS spawns command interpreters or scripting engines
- Deploy web application firewall (WAF) rules to filter requests with malicious template syntax
- Utilize SentinelOne's behavioral AI to detect anomalous code execution patterns from the HFS process
Monitoring Recommendations
- Enable detailed HTTP access logging on all HFS instances to capture full request details
- Configure endpoint detection and response (EDR) solutions to alert on process creation events from HFS
- Establish baseline network behavior for HFS servers and alert on deviations
- Review HFS instances for unexpected file modifications or new file creations in system directories
How to Mitigate CVE-2024-23692
Immediate Actions Required
- Immediately take offline or isolate any Rejetto HFS instances running version 2.3m or earlier from untrusted networks
- Migrate to HFS version 3.x, which is a complete rewrite not affected by this vulnerability
- If decommissioning is not immediately possible, restrict access to HFS through firewall rules allowing only trusted IP addresses
- Conduct forensic analysis on exposed HFS instances to determine if exploitation has already occurred
Patch Information
Rejetto HFS version 2.3m and all prior versions are end-of-life and will not receive security patches. The vendor has released HFS version 3, which is a completely rewritten application that does not share the vulnerable codebase. Organizations must upgrade to HFS 3.x or migrate to an alternative file sharing solution to fully remediate this vulnerability.
For additional guidance, refer to the CISA Known Exploited Vulnerabilities Catalog entry and the Vicarius mitigation guide.
Workarounds
- Deploy network segmentation to prevent direct internet access to HFS servers
- Implement a reverse proxy with strict input validation and request filtering in front of HFS instances
- Use host-based firewall rules to limit HFS connectivity to known, trusted clients only
- Configure SentinelOne policies to block command interpreter execution from HFS process context
# Example: Block external access to HFS using Windows Firewall
netsh advfirewall firewall add rule name="Block HFS External" dir=in action=block program="C:\Path\To\hfs.exe" remoteip=any localip=any
# Allow only specific trusted IP ranges
netsh advfirewall firewall add rule name="Allow HFS Trusted" dir=in action=allow program="C:\Path\To\hfs.exe" remoteip=192.168.1.0/24
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
