CVE-2024-6633 Overview
CVE-2024-6633 is a hardcoded credentials vulnerability affecting Fortra FileCatalyst Workflow. The default credentials for the setup HSQL database (HSQLDB) are published in a vendor knowledgebase article, allowing attackers to potentially compromise the confidentiality, integrity, or availability of the software. While the HSQLDB is only included to facilitate installation and has been deprecated by the vendor, organizations that have not migrated to an alternative database remain vulnerable to attack from any source that can reach the HSQLDB network endpoint.
Critical Impact
Attackers with network access can use publicly available default credentials to gain unauthorized access to the FileCatalyst Workflow database, potentially leading to complete system compromise including data theft, data manipulation, and service disruption.
Affected Products
- Fortra FileCatalyst Workflow (all versions using default HSQLDB configuration)
- FileCatalyst Workflow installations that have not been configured to use an alternative database
- Systems where HSQLDB remains network-accessible
Discovery Timeline
- 2024-08-27 - CVE-2024-6633 published to NVD
- 2025-08-29 - Last updated in NVD database
Technical Details for CVE-2024-6633
Vulnerability Analysis
This vulnerability stems from the use of hardcoded credentials (CWE-798) combined with information exposure (CWE-200). The FileCatalyst Workflow software ships with a default HSQL database containing static, publicly documented credentials. The presence of these credentials in vendor documentation creates a significant security risk as any attacker with network connectivity to the database can authenticate using these well-known credentials.
The vulnerability is particularly dangerous because it requires no prior authentication or user interaction to exploit. An attacker simply needs to identify a FileCatalyst Workflow installation with an exposed HSQLDB instance and connect using the default credentials found in publicly available vendor documentation.
Root Cause
The root cause is the use of hardcoded default credentials in the HSQLDB setup database combined with the publication of these credentials in vendor knowledgebase articles. While Fortra intended HSQLDB only for installation facilitation and explicitly marked it as deprecated and not suitable for production use, many organizations may have failed to migrate to a recommended alternative database solution, leaving them exposed.
Attack Vector
The attack vector is network-based and requires no privileges or user interaction. An attacker can exploit this vulnerability by:
- Identifying FileCatalyst Workflow installations exposed to the network
- Locating the HSQLDB service endpoint
- Retrieving the default credentials from publicly available vendor documentation
- Connecting to the HSQLDB using the default credentials
- Executing arbitrary database operations to extract, modify, or delete data
The vulnerability allows unauthenticated remote access when the HSQLDB service is reachable over the network.
Detection Methods for CVE-2024-6633
Indicators of Compromise
- Unexpected database connections to the HSQLDB service from external IP addresses
- Authentication attempts using default credentials against the FileCatalyst Workflow database
- Unusual data access patterns or bulk data extraction from the HSQLDB
- Modifications to workflow configurations or user accounts without authorized activity
Detection Strategies
- Monitor network traffic for connections to the HSQLDB port from untrusted sources
- Implement database activity monitoring to detect authentication using default credentials
- Review database audit logs for unauthorized access attempts or successful connections
- Deploy network intrusion detection rules to identify HSQLDB protocol traffic from external networks
- Conduct regular configuration audits to identify systems still using the default HSQLDB setup
Monitoring Recommendations
- Enable detailed logging on all FileCatalyst Workflow database connections
- Configure alerts for any successful authentication to HSQLDB from non-localhost addresses
- Implement network segmentation monitoring to detect unexpected cross-segment database access
- Establish baseline database activity patterns and alert on deviations
How to Mitigate CVE-2024-6633
Immediate Actions Required
- Migrate FileCatalyst Workflow to a production-grade database as recommended by Fortra
- If migration is not immediately possible, restrict network access to HSQLDB to localhost only
- Review database logs for any signs of unauthorized access or data exfiltration
- Change default HSQLDB credentials if migration cannot be performed immediately
- Apply network-level access controls to prevent external access to database services
Patch Information
Fortra has released a security advisory addressing this vulnerability. Organizations should consult the Fortra Security Advisory FI-2024-011 for detailed remediation guidance and any available patches. The primary mitigation is to discontinue use of the deprecated HSQLDB and migrate to a vendor-recommended production database solution.
Workarounds
- Disable network access to HSQLDB by binding the service to localhost (127.0.0.1) only
- Implement firewall rules to block all external access to the HSQLDB port
- Deploy network segmentation to isolate FileCatalyst Workflow from untrusted networks
- Change the default HSQLDB credentials to unique, strong passwords as an interim measure
- Consider disabling HSQLDB entirely if not required for current operations
# Configuration example - Restrict HSQLDB network access via firewall
# Block external access to HSQLDB default port (typically 9001)
iptables -A INPUT -p tcp --dport 9001 -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -p tcp --dport 9001 -j DROP
# Verify HSQLDB is not exposed externally
netstat -tlnp | grep 9001
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
