CVE-2025-8450 Overview
CVE-2025-8450 is an improper access control vulnerability in the Workflow component of Fortra's FileCatalyst. The flaw permits unauthenticated remote users to upload arbitrary files through the order forms page. The weakness is classified under [CWE-306] Missing Authentication for a Critical Function. Fortra published advisory FI-2025-010 to address the issue. The vulnerability impacts integrity and availability of affected FileCatalyst Workflow deployments and can be reached directly over the network without user interaction.
Critical Impact
Unauthenticated attackers can upload arbitrary files to FileCatalyst Workflow servers via the order forms page, enabling potential payload staging, denial of service, and disruption of file transfer operations.
Affected Products
- Fortra FileCatalyst Workflow (Workflow component)
- FileCatalyst order forms page functionality
- See Fortra Security Advisory FI-2025-010 for the full list of affected versions
Discovery Timeline
- 2025-08-19 - CVE-2025-8450 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-8450
Vulnerability Analysis
The vulnerability resides in the Workflow component of Fortra FileCatalyst, specifically within the order forms page. The order forms functionality fails to enforce authentication or authorization checks on file upload requests. As a result, any remote actor able to reach the web interface can submit upload requests without presenting credentials.
The issue maps to [CWE-306] Missing Authentication for a Critical Function. File upload endpoints qualify as critical functions because uploaded content can be staged on the server file system. Even when uploads are constrained in type or location, an attacker can fill storage, plant content for later retrieval, or interfere with legitimate workflow processing.
With an EPSS score of approximately 0.237% (percentile 46.7), public exploitation probability is modest at this time, but the network-reachable, unauthenticated nature of the flaw makes it attractive to opportunistic scanning.
Root Cause
The root cause is missing access control on the order forms upload handler. The component accepts file submissions without validating a session, token, or role before writing data to disk. Authentication logic that protects other Workflow endpoints is not applied to the order forms upload path.
Attack Vector
An attacker reaches the FileCatalyst Workflow web interface over the network and submits a crafted HTTP POST request to the order forms page upload handler. No credentials, prior interaction, or victim activity are required. Successful requests deposit attacker-controlled files into the server, which can be used to consume disk capacity, stage payloads for follow-on attacks, or corrupt workflow state. Refer to Fortra Security Advisory FI-2025-010 for endpoint-specific technical details.
Detection Methods for CVE-2025-8450
Indicators of Compromise
- Unexpected files appearing in FileCatalyst Workflow upload directories without a corresponding authenticated session
- HTTP POST requests to the order forms page originating from unknown or external IP addresses
- Spikes in disk consumption on the FileCatalyst Workflow server
- Web access log entries showing upload activity without preceding login events
Detection Strategies
- Correlate web server access logs with application authentication logs to identify upload requests that lack a valid session
- Hash and inventory files in upload destinations on a recurring schedule and alert on new or unknown files
- Apply web application firewall rules that block or alert on POST requests to order forms endpoints from untrusted networks
Monitoring Recommendations
- Monitor outbound and inbound traffic to the FileCatalyst Workflow host for anomalous upload volumes
- Forward application, web, and OS logs to a centralized analytics platform for correlation against authentication events
- Alert on creation of executable file types or archives in any FileCatalyst upload or temporary directory
How to Mitigate CVE-2025-8450
Immediate Actions Required
- Apply the security update referenced in Fortra Security Advisory FI-2025-010 as soon as possible
- Restrict network access to the FileCatalyst Workflow web interface using firewall rules or VPN gating until patching is complete
- Audit upload directories for unexpected files and remove or quarantine any unauthorized content
- Review web server logs since deployment for evidence of unauthenticated upload attempts
Patch Information
Fortra has published advisory FI-2025-010 describing fixed versions of FileCatalyst Workflow. Administrators should consult the Fortra Security Advisory FI-2025-010 for the exact patched release numbers and upgrade instructions applicable to their deployment.
Workarounds
- Place the FileCatalyst Workflow server behind a reverse proxy or WAF that enforces authentication before requests reach the order forms page
- Disable the order forms feature if it is not in active use
- Restrict access to the Workflow interface to known IP ranges via network ACLs until the patch is deployed
# Example: restrict access to FileCatalyst Workflow with iptables until patched
iptables -A INPUT -p tcp --dport 443 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

