A high-severity improper access control vulnerability has been identified in Fortra's FileCatalyst Workflow component. This flaw allows an unauthenticated attacker to upload arbitrary files, which could lead to remote code execution and a complete compromise of the affected server. Organizations using the vulnerable software are at significant risk of data breaches, system takeovers, and further network intrusion.

The vulnerability exists within the "order forms" page of the FileCatalyst Workflow component. Due to an improper access control mechanism, the application fails to authenticate or authorize users attempting to upload files through this page. An unauthenticated remote attacker can send a specially crafted HTTP POST request to the order form's endpoint to upload a malicious file, such as a web shell, to a directory on the server. By subsequently accessing the uploaded file via a browser, the attacker can achieve remote code execution (RCE) with the privileges of the web server's user account.

This vulnerability is rated as High severity with a CVSS score of 8.2. Successful exploitation provides an attacker with initial access to the corporate network, posing a direct threat to business operations. The primary impact is the potential for a full system compromise, leading to the loss of confidentiality, integrity, and availability of the server and the data it processes. An attacker could exfiltrate sensitive data managed by FileCatalyst, deploy ransomware, or use the compromised server as a pivot point to launch further attacks against the internal network.

Immediate Action: The primary remediation is to apply the security patches provided by Fortra to all vulnerable FileCatalyst instances immediately. After patching, it is crucial to review server logs for any signs of past exploitation attempts and verify the integrity of the system.

Proactive Monitoring:

• Monitor web server access logs for anomalous POST requests to the order forms page, particularly from untrusted or external IP addresses.
• Scrutinize file system activity for the creation of unexpected files in web-accessible directories, especially those with executable extensions (e.g., .jsp, .aspx, .php, .sh).
• Implement network monitoring to detect unusual outbound connections from the FileCatalyst server, which could indicate an active command-and-control (C2) channel.

Compensating Controls: If patching cannot be performed immediately, consider the following controls:

• Use a Web Application Firewall (WAF) to block or restrict access to the vulnerable "order forms" page.
• Implement network segmentation and Access Control Lists (ACLs) to limit access to the FileCatalyst web interface to only trusted internal users.
• If the order forms feature is not in use, disable it through the application's configuration.

Public Exploit Available: false

This vulnerability represents a critical risk to the organization due to its high severity (CVSS 8.2) and the potential for unauthenticated remote code execution. Although not currently listed on the CISA KEV catalog, its low attack complexity makes it an attractive target for threat actors. We strongly recommend that all affected Fortra FileCatalyst instances be patched immediately as a top priority. If patching is delayed, the compensating controls listed above must be implemented to reduce the attack surface and mitigate the immediate risk of compromise.