CVE-2024-14037

Guangzhou Red Sea Cloud Computing Co. · Red Sea Cloud eHR

Guangzhou Red Sea Cloud eHR contains an arbitrary file upload vulnerability in the PtFjk.mob servlet, allowing unauthenticated attackers to achieve remote code execution via malicious file uploads.

Executive summary

An unauthenticated remote code execution flaw in Red Sea Cloud eHR allows attackers to compromise the system through malicious file uploads, with evidence of active exploitation in the wild.

Vulnerability

The application lacks proper MIME type and extension validation in the PtFjk.mob servlet. Attackers can bypass security checks by spoofing the Content-Type header to upload and execute JSP webshells.

Business impact

The CVSS score of 9.8 highlights the critical nature of this flaw, which provides a direct path to total system takeover. Business consequences include the potential for unauthorized access to sensitive employee HR data, loss of system integrity, and significant operational disruption due to attacker-controlled webshells.

Remediation

Immediate Action: Apply the latest security update from Guangzhou Red Sea Cloud Computing Co. immediately, as the vulnerability is currently subject to active exploitation.

Proactive Monitoring: Monitor the /uploadfile/ directory for unexpected file creations and audit web server access logs for anomalous requests to the PtFjk.mob endpoint.

Compensating Controls: Implement WAF filtering to restrict file uploads to legitimate types and block requests that attempt to bypass extension validation.

Exploitation status

Public Exploit Available: Not specified

Analyst recommendation

Immediate remediation is required to protect the integrity of the eHR environment. Organizations should verify that their instances are patched and perform a forensic review of system logs to ensure that no unauthorized persistence mechanisms have been established by attackers prior to patching.