Critical HFS 2.x Flaw (CVE-2024-23692) Actively Exploited: Legacy File Server Becomes a Ransomware Backdoor
Ddos 
The Imperva Threat Research team sounded the alarm on a coordinated exploitation campaign targeting outdated instances of Rejetto HTTP File Server (HFS) 2.x. The attackers, leveraging a critical server-side template injection vulnerability (CVE-2024-23692), aimed to deploy ransomware and trojans at scale, transforming abandoned file-sharing tools into backdoors for network compromise.
CVE-2024-23692 is a server-side template injection (SSTI) vulnerability affecting HFS 2.3m and earlier. It enables unauthenticated remote code execution (RCE) via a single malicious HTTP request.
βA single crafted HTTP request was all it takes to download and execute malicious payloads, with no authentication required,β the report explains.
The exploit abuses the search query parameter in the HFS URL, injecting a {.exec|{.?cmd.}} macro block that allows arbitrary command execution β with the payload delivered through the cmd parameter. Because of HFSβs template rendering behavior, this attack requires no user interaction.
Imperva observed 662 exploit attempts across 55 customer domains. The payloads were hosted at hxxp://151[.]242.152.91/ and included:
- Farfli Trojan β Malicious downloader
- Zenpak Trojan
- jqvtd Ransomware
All command-and-control (C2) infrastructure pointed to Hong Kong, suggesting a single coordinated threat actor behind the campaign.
Victims were observed across multiple industries and geographies, highlighting the widespread use (and neglect) of legacy file-sharing servers like HFS 2.x.
Imperva recommends a layered approach:
- Retire or isolate HFS 2.x. It is end-of-life and no longer receives security updates.
- Upgrade to HFS 3.x, which includes modern protections.
- Block outbound HTTP to unknown IPs
- Monitor HTTP requests for patterns like:Β search=.*%url%.*}{\.exec|
- Constrain PowerShell (e.g., enable Constrained Language Mode and AMSI)
- Keep antivirus and malware detection tools up to date
Related Posts:
- Urgent Security Alert: HFS Servers Under Attack, Patch Now!
- CVE-2024-39943 (CVSS 9.9): Critical Vulnerability in HTTP File Server Exposes Systems to RCE
- CVE-2024-23692: Unauthenticated RCE Flaw in Rejetto HTTP File Server, PoC Published
- ClamAV Denial of Service Vulnerabilities
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
