Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2024-23692

CVE-2024-23692: Rejetto HTTP File Server RCE Vulnerability

CVE-2024-23692 is a template injection RCE flaw in Rejetto HTTP File Server versions up to 2.3m that allows unauthenticated attackers to execute arbitrary commands remotely. This article covers technical details, impact, and mitigations.

Published:

CVE-2024-23692 Overview

CVE-2024-23692 is a critical template injection vulnerability affecting Rejetto HTTP File Server (HFS) up to and including version 2.3m. This vulnerability enables a remote, unauthenticated attacker to execute arbitrary commands on the affected system by sending a specially crafted HTTP request. The affected software version (HFS 2.3m) is no longer supported by the vendor, making this vulnerability particularly dangerous for organizations still running legacy installations.

Critical Impact

This vulnerability is actively exploited in the wild and has been added to the CISA Known Exploited Vulnerabilities (KEV) catalog. Unauthenticated attackers can achieve complete system compromise through remote code execution without any user interaction.

Affected Products

  • Rejetto HTTP File Server versions up to and including 2.3m
  • All platforms running the affected HFS versions
  • Systems where HFS is exposed to untrusted networks

Discovery Timeline

  • 2024-05-31 - CVE-2024-23692 published to NVD
  • 2025-10-31 - Last updated in NVD database

Technical Details for CVE-2024-23692

Vulnerability Analysis

This vulnerability stems from improper handling of user-supplied input within the template processing mechanism of Rejetto HFS. The application utilizes a custom template engine that processes requests without adequate sanitization, allowing attackers to inject malicious template expressions that are subsequently evaluated by the server. When exploited, these injected templates can execute arbitrary system commands with the privileges of the HFS process.

The vulnerability is classified under CWE-1336 (Improper Neutralization of Special Elements Used in a Template Engine) and CWE-94 (Improper Control of Generation of Code - Code Injection). The attack requires no authentication and can be executed remotely over the network, making internet-facing HFS installations extremely vulnerable.

Root Cause

The root cause of CVE-2024-23692 lies in insufficient input validation within the HFS template engine. The application fails to properly sanitize or restrict user-controlled data before processing it through the template system. Template expressions embedded in HTTP requests are interpreted and executed by the server, allowing attackers to escape the intended template context and inject arbitrary code. This design flaw essentially treats untrusted user input as trusted template code.

Attack Vector

The attack vector for this vulnerability is network-based, requiring no privileges or user interaction. An attacker can craft malicious HTTP requests containing template injection payloads directed at a vulnerable HFS instance. When the server processes these requests, the injected template code is executed, enabling command execution on the underlying operating system.

The exploitation process typically involves:

  1. Identifying an exposed Rejetto HFS instance running version 2.3m or earlier
  2. Crafting HTTP requests with malicious template expressions
  3. Sending the payload to trigger template evaluation
  4. Achieving remote command execution on the target system

A Metasploit module has been developed and integrated into the framework, significantly lowering the barrier for exploitation. Technical details and analysis are available from Mohemiv's RCE Analysis and the VulnCheck Advisory.

Detection Methods for CVE-2024-23692

Indicators of Compromise

  • Unusual HTTP requests to HFS instances containing encoded or special characters in URL parameters
  • Unexpected child processes spawned by the HFS executable (e.g., cmd.exe, powershell.exe, or shell processes)
  • Network connections from HFS to external IP addresses not associated with normal file transfer operations
  • Evidence of reconnaissance commands (whoami, systeminfo, ipconfig) in process logs

Detection Strategies

  • Implement network intrusion detection rules to identify HTTP requests containing template injection patterns targeting HFS
  • Monitor for suspicious process execution chains where HFS spawns command interpreters or scripting engines
  • Deploy web application firewall (WAF) rules to filter requests with malicious template syntax
  • Utilize SentinelOne's behavioral AI to detect anomalous code execution patterns from the HFS process

Monitoring Recommendations

  • Enable detailed HTTP access logging on all HFS instances to capture full request details
  • Configure endpoint detection and response (EDR) solutions to alert on process creation events from HFS
  • Establish baseline network behavior for HFS servers and alert on deviations
  • Review HFS instances for unexpected file modifications or new file creations in system directories

How to Mitigate CVE-2024-23692

Immediate Actions Required

  • Immediately take offline or isolate any Rejetto HFS instances running version 2.3m or earlier from untrusted networks
  • Migrate to HFS version 3.x, which is a complete rewrite not affected by this vulnerability
  • If decommissioning is not immediately possible, restrict access to HFS through firewall rules allowing only trusted IP addresses
  • Conduct forensic analysis on exposed HFS instances to determine if exploitation has already occurred

Patch Information

Rejetto HFS version 2.3m and all prior versions are end-of-life and will not receive security patches. The vendor has released HFS version 3, which is a completely rewritten application that does not share the vulnerable codebase. Organizations must upgrade to HFS 3.x or migrate to an alternative file sharing solution to fully remediate this vulnerability.

For additional guidance, refer to the CISA Known Exploited Vulnerabilities Catalog entry and the Vicarius mitigation guide.

Workarounds

  • Deploy network segmentation to prevent direct internet access to HFS servers
  • Implement a reverse proxy with strict input validation and request filtering in front of HFS instances
  • Use host-based firewall rules to limit HFS connectivity to known, trusted clients only
  • Configure SentinelOne policies to block command interpreter execution from HFS process context
bash
# Example: Block external access to HFS using Windows Firewall
netsh advfirewall firewall add rule name="Block HFS External" dir=in action=block program="C:\Path\To\hfs.exe" remoteip=any localip=any

# Allow only specific trusted IP ranges
netsh advfirewall firewall add rule name="Allow HFS Trusted" dir=in action=allow program="C:\Path\To\hfs.exe" remoteip=192.168.1.0/24

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne