A critical vulnerability has been identified in Fireshare software, which allows an attacker to execute arbitrary commands on the server. This flaw can be exploited by uploading a video file with a specially crafted filename, potentially leading to a complete system compromise, data theft, and significant service disruption. The vulnerability is especially dangerous on instances where public uploads are enabled, as it allows unauthenticated attackers to gain control of the server.

The application is vulnerable to command injection. It fails to properly sanitize user-supplied input for filenames during the video upload process. An attacker can craft a filename containing shell metacharacters (e.g., ;, |, &&) and system commands. When the application processes the uploaded file, it concatenates this malicious filename directly into a system shell command, causing the injected commands to be executed with the privileges of the web server user. This can also be used for path traversal by including sequences like ../ in the filename, allowing the attacker to write files to arbitrary locations on the server, which could be used to upload a web shell for persistent access.

This vulnerability is rated as critical with a CVSS score of 9.8, reflecting the high potential for severe damage. Successful exploitation could lead to a full compromise of the host server, granting an attacker the ability to access, modify, or exfiltrate all stored data, including user media and sensitive application information. An attacker could also leverage this access to install malware (such as ransomware or crypto miners), disrupt service availability, or use the compromised server as a pivot point to attack other systems within the internal network. The potential for reputational damage and financial loss resulting from a data breach or service outage is significant.

Immediate Action: Immediately upgrade all instances of Fireshare to version 1.3.0 or later, which contains the fix for this vulnerability. After patching, review web server and application logs for any signs of past exploitation attempts, such as upload requests with unusual filenames containing special characters or command syntax.

Proactive Monitoring:

• Log Analysis: Monitor web server access logs for HTTP POST requests to upload endpoints where the filename parameter contains shell metacharacters (;, |, &, $(), `) or path traversal sequences (../).
• Process Monitoring: Monitor for unexpected child processes being spawned by the Fireshare web server process (e.g., sh, bash, curl, wget).
• File Integrity Monitoring (FIM): Monitor for unexpected file creation or modification in sensitive directories, particularly the web root, /tmp, or system binary paths.

Compensating Controls: If immediate patching is not feasible:

• Disable Public Uploads: Immediately disable the "Public Uploads" setting to restrict the attack vector to authenticated users only.
• Web Application Firewall (WAF): Deploy a WAF with rules designed to detect and block command injection and path traversal patterns in file upload requests.
• Principle of Least Privilege: Ensure the Fireshare service runs as a dedicated, low-privilege user with restricted file system and network access to limit the impact of a potential compromise.

Public Exploit Available: false

Due to the critical severity of this vulnerability, we strongly recommend that organizations treat this as an emergency. The primary and most effective remediation is to apply the security update provided by the vendor immediately. Although this CVE is not currently listed on the CISA KEV catalog, its high impact and ease of exploitation make it a prime candidate for future inclusion. Organizations should prioritize patching all affected systems and subsequently hunt for any indicators of compromise to ensure their environment has not already been breached.