A critical vulnerability has been identified in FileZilla Client, a widely used file transfer application. This flaw, known as DLL hijacking, allows an attacker who can place a malicious file in the application's directory to execute arbitrary code and gain complete control over the affected system. Due to the high severity and simplicity of exploitation, this vulnerability poses a significant risk of system compromise, data theft, or further network intrusion.

The vulnerability is a DLL hijacking (or insecure library loading) flaw. The FileZilla Client application attempts to load a Dynamic Link Library (DLL) named TextShaping.dll from a location that is not secure, such as its own installation directory, before searching in trusted system directories. An attacker with the ability to write files into this directory can place a specially crafted malicious DLL with the same name. When a user launches the FileZilla Client, the application will inadvertently load and execute the attacker's malicious DLL, leading to arbitrary code execution with the permissions of the user running the application.

This vulnerability is classified as critical severity with a CVSS score of 9.8. Successful exploitation could lead to a complete compromise of the workstation or server where the FileZilla Client is installed. The potential consequences include theft of sensitive data, deployment of ransomware, installation of persistent backdoors, and the use of the compromised system as a pivot point to attack other resources on the internal network. The risk is particularly high on multi-user systems like terminal servers, where one compromised user account could impact others, or if an attacker can trick a user into downloading the malicious DLL into the application folder.

Immediate Action: Immediately update all installations of FileZilla Client to the latest version provided by the vendor to patch this vulnerability. Following the update, monitor systems for any signs of prior exploitation and review application and system logs for unusual activity related to the FileZilla Client process.

Proactive Monitoring: Implement monitoring rules to detect the creation of TextShaping.dll within any FileZilla Client installation directories. Use Endpoint Detection and Response (EDR) solutions to monitor for suspicious child processes spawning from filezilla.exe, such as cmd.exe, powershell.exe, or unexpected outbound network connections to command-and-control servers.

Compensating Controls: If immediate patching is not feasible, implement the following controls to mitigate risk:

• Access Control: Harden file system permissions to prevent standard users from writing files to the FileZilla Client installation directory.
• Application Whitelisting: Use solutions like AppLocker or Windows Defender Application Control to prevent FileZilla from loading unsigned or untrusted DLLs.
• File Integrity Monitoring (FIM): Deploy FIM to alert security teams to any unauthorized changes or file additions within the FileZilla program directories.

Public Exploit Available: true

This vulnerability is rated as critical and represents a significant risk to the organization. Exploitation allows for complete system compromise and is straightforward for an attacker with the ability to place a file on the target system. Although this vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, its high severity and the public availability of the exploitation technique warrant immediate action. It is strongly recommended that all instances of the affected FileZilla Client software be updated to the latest version without delay to mitigate this threat.