The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • AI Data Pipelines
      Security Data Pipeline for AI SIEM and Data Optimization
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2024-25153

CVE-2024-25153: Fortra FileCatalyst Path Traversal Flaw

CVE-2024-25153 is a path traversal vulnerability in Fortra FileCatalyst Workflow that enables attackers to upload files outside intended directories, potentially leading to code execution via malicious JSP files.

Updated: January 22, 2026

CVE-2024-25153 Overview

A critical directory traversal vulnerability exists within the ftpservlet component of the Fortra FileCatalyst Workflow Web Portal. This flaw allows unauthenticated attackers to upload files outside of the intended uploadtemp directory using specially crafted POST requests. When successfully exploited, attackers can upload malicious JSP files to the web portal's DocumentRoot, enabling arbitrary code execution including the deployment of web shells.

Critical Impact

Unauthenticated remote attackers can achieve full system compromise through arbitrary file upload and subsequent code execution via malicious JSP web shells.

Affected Products

  • Fortra FileCatalyst Workflow (versions prior to 5.1.6 Build 114)
  • Fortra FileCatalyst Workflow 5.1.6 Build 112

Discovery Timeline

  • 2024-03-13 - CVE-2024-25153 published to NVD
  • 2025-09-19 - Last updated in NVD database

Technical Details for CVE-2024-25153

Vulnerability Analysis

This directory traversal vulnerability (CWE-472, CWE-668) affects the ftpservlet component responsible for handling file uploads in the FileCatalyst Workflow Web Portal. The servlet fails to properly validate and sanitize file path parameters in incoming POST requests, allowing attackers to use path traversal sequences to write files to arbitrary locations on the server's filesystem.

The vulnerability is particularly severe because the affected component is accessible without authentication and the application runs with sufficient privileges to write to the web application's DocumentRoot. This combination enables attackers to bypass upload directory restrictions and place executable content directly in locations where it will be processed by the application server.

Root Cause

The root cause stems from improper input validation in the ftpservlet component. The servlet processes user-supplied file path information without adequately sanitizing directory traversal sequences such as ../. This allows an attacker to escape the intended uploadtemp directory and navigate to arbitrary filesystem locations, including the web portal's DocumentRoot where JSP files are executed.

The vulnerability is classified under CWE-472 (External Control of Assumed-Immutable Web Parameter) and CWE-668 (Exposure of Resource to Wrong Sphere), reflecting both the input validation failure and the resulting unauthorized access to protected filesystem locations.

Attack Vector

The attack is executed remotely over the network without requiring authentication or user interaction. An attacker sends a specially crafted HTTP POST request to the vulnerable ftpservlet endpoint, including path traversal sequences in the filename parameter. By navigating up the directory structure and into the DocumentRoot, the attacker can upload a malicious JSP file.

Once the JSP file is in place, the attacker accesses it via a web request, causing the application server to execute the embedded Java code. This typically involves deploying a web shell that provides persistent command execution capabilities on the compromised server.

The exploitation flow typically involves:

  1. Crafting a POST request with directory traversal sequences targeting the DocumentRoot
  2. Uploading a JSP web shell payload through the manipulated path
  3. Accessing the uploaded JSP file via HTTP to trigger code execution
  4. Establishing persistent access through the deployed web shell

A proof-of-concept exploit is available in the Nettitude GitHub repository demonstrating the exploitation technique.

Detection Methods for CVE-2024-25153

Indicators of Compromise

  • Unexpected JSP files appearing in the FileCatalyst Workflow DocumentRoot or web application directories
  • HTTP POST requests to /ftpservlet containing path traversal sequences (../ patterns) in request parameters
  • Newly created or modified JSP files with recent timestamps that don't match deployment schedules
  • Web shell activity patterns including suspicious command execution or reverse shell connections from the web server

Detection Strategies

  • Monitor HTTP access logs for POST requests to the ftpservlet endpoint containing encoded or plaintext directory traversal patterns
  • Implement file integrity monitoring (FIM) on the FileCatalyst Workflow DocumentRoot to detect unauthorized file additions
  • Deploy web application firewall (WAF) rules to block requests containing path traversal sequences targeting upload endpoints
  • Review server filesystem for JSP files created outside of normal deployment processes

Monitoring Recommendations

  • Enable detailed logging for the FileCatalyst Workflow application and review logs for anomalous upload activity
  • Configure alerts for new JSP file creation events in the web application directories
  • Monitor outbound network connections from the web server for potential command and control traffic
  • Implement network segmentation to limit lateral movement potential if the server is compromised

How to Mitigate CVE-2024-25153

Immediate Actions Required

  • Update Fortra FileCatalyst Workflow to version 5.1.6 Build 114 or later immediately
  • If immediate patching is not possible, consider temporarily disabling the ftpservlet endpoint or restricting network access to the FileCatalyst Workflow Web Portal
  • Review server logs and filesystem for indicators of compromise to determine if exploitation has already occurred
  • Implement network-level access controls to limit exposure of the FileCatalyst Workflow Web Portal to trusted networks only

Patch Information

Fortra has released a security patch addressing this vulnerability in FileCatalyst Workflow version 5.1.6 Build 114. Organizations should upgrade to this version or later as soon as possible. The fix implements proper input validation and sanitization for file upload paths in the ftpservlet component.

For detailed patch information, refer to the Fortra Security Advisory FI-2024-002 and the FileCatalyst Release Notes.

Workarounds

  • Restrict network access to the FileCatalyst Workflow Web Portal using firewall rules to allow only trusted IP addresses
  • Deploy a web application firewall (WAF) with rules to detect and block path traversal attempts in HTTP requests
  • If the FTP upload functionality via the web portal is not required, consider disabling the ftpservlet component entirely
  • Implement strict file type validation at the network perimeter to block JSP file uploads
bash
# Example: Restrict access to FileCatalyst Workflow using iptables
# Allow access only from trusted management network
iptables -A INPUT -p tcp --dport 8080 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypePath Traversal
  • Vendor/TechFilecatalyst Workflow
  • SeverityCRITICAL
  • CVSS Score9.8
  • EPSS Probability82.11%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityHigh
  • CWE References
  • CWE-472
  • CWE-668
  • Technical References
  • FileCatalyst Release Notes
  • GitHub PoC for CVE-2024-25153
  • Vendor Resources
  • Fortra Security Advisory FI-2024-002
  • Latest CVEs
  • CVE-2025-9185: Mozilla Firefox RCE Vulnerability
  • CVE-2025-9184: Mozilla Firefox RCE Vulnerability
  • CVE-2025-9180: Mozilla Firefox Auth Bypass Vulnerability
  • CVE-2025-8030: Mozilla Firefox RCE Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English