HTTP File Server, also known as HFS, is a free web server specifically designed for publishing and sharing files. It is small, portable, easy to use, and can run on multiple OS including Windows, Linux, and IOS. Because of its easy, quick and free usage, it is particularly popular among individuals and small groups for file sharing.
On 2024/5/31, NIST published CVE-2024-23692, a template injection vulnerability that allows a remote unauthorized attacker to execute arbitrary command on the target. The affected version is up to and including version 2.3m, which is no longer supported but still widely used. Because of the ease to exploit this vulnerability and the great influence, NIST assigned CVSS score 9.8. Moreover, it is recently added to CISA Known Exploited Vulnerabilities Catalog on 2024/7/9, which means that there have already been known exploits in the wild.
The dedicated engineer team of Ridge Security takes immediate action in response to the update of CISA KEV Catalog. At the time of writing this blog, we are proud to announce that the plugin to scan this CVE is going to be included in the new release. RidgeBot utilizes the cutting-edge techniques to scan and attempt to exploit this vulnerability regardless of whether the target system is running on Windows, Linux, or Mac.
Once vulnerabilities are found, RidgeBot gives detailed reports including Type, Severity, Description, and Risk details. With this information, it will be easy to understand what the vulnerabilities are, their influence, and how to patch them.
Figure 1: Vulnerability report for CVE-2024-23692
Figure 2: Risk item report for CVE-2024-23692
The target is in a different language so the screenshot has encoding issue.
In the Information Age, cyber threats are everywhere. Ridge Security keeps monitoring emerging vulnerabilities and protecting our customers. With our ever-growing threat intelligence database, RidgeBot gives unparalleled defense against evolving cyber threats, providing you with peace of mind and robust defense in an ever-evolving threat landscape. To learn more, please request a demo.