CVE-2026-61500
Rejetto · HFS
Rejetto HFS uses a predictable PRNG for session-cookie signing, allowing unauthenticated attackers to forge administrator session cookies and achieve remote code execution.
Executive summary
A critical vulnerability in Rejetto HFS allows unauthenticated remote attackers to forge administrative session cookies and execute arbitrary code on the server.
Vulnerability
The application utilizes a non-cryptographic PRNG (Math.random()) to derive session-cookie signing keys, which are disclosed to unauthenticated users during the login process. This flaw enables an attacker to reconstruct the generator state, forge valid administrator cookies, and gain unauthorized control over the application.
Business impact
Successful exploitation grants an attacker full administrative access to the HFS instance, leading to complete system compromise. Given the CVSS score of 9.8, this vulnerability poses an extreme risk, as it allows for trivial Remote Code Execution (RCE) without requiring prior authentication, potentially exposing sensitive data and allowing for lateral movement within the network.
Remediation
Immediate Action: Upgrade Rejetto HFS to version 3.2.1 or later immediately to implement a cryptographically secure key generation process.
Proactive Monitoring: Monitor server logs for an unusual frequency of login requests or failed authentication patterns that might indicate an attacker attempting to sample the PRNG output.
Compensating Controls: Deploy a Web Application Firewall (WAF) with rules configured to block suspicious administrative access patterns, though patching remains the only effective mitigation.
Exploitation status
Public Exploit Available: No (No confirmed weaponized exploit or public PoC identified).
Analyst recommendation
This is a critical-severity flaw that requires immediate attention. Because the vulnerability allows for unauthenticated RCE, administrators should prioritize updating to version 3.2.1 without delay. If the instance is exposed to the internet, ensure access is restricted via VPN or firewall until the patch is successfully applied and verified.