Fortra Warns: Hard-Coded Password Vulnerability in FileCatalyst – CVE-2024-5275
Fortra, the developer of the popular FileCatalyst file transfer solutions, has issued a critical security advisory warning users of a high-severity vulnerability (CVE-2024-5275) in both FileCatalyst Direct and FileCatalyst Workflow. The vulnerability, stemming from a hard-coded password in the FileCatalyst TransferAgent, could allow attackers to unlock the keystore, potentially leading to man-in-the-middle (MiTM) attacks.
The vulnerability exposes sensitive data, such as private keys for certificates, within the keystore. If exploited, attackers could intercept and manipulate data during transfer, posing a significant threat to data integrity and confidentiality. This could have devastating consequences for organizations that rely on FileCatalyst for secure file transfers, especially in industries like media, healthcare, and government where data security is paramount.
All versions of FileCatalyst Direct up to 3.8.10 Build 138 and FileCatalyst Workflow up to 5.1.6 Build 130 are susceptible to the CVE-2024-5275 vulnerability. Organizations using these products must act immediately to mitigate the risk.
Fortra has released patches to address the vulnerability. FileCatalyst Direct users should upgrade to version 3.8.10 Build 144 or higher, while FileCatalyst Workflow users should upgrade to version 5.1.6 Build 133 or later.
In addition, users who employ the FileCatalyst TransferAgent remotely must switch REST calls to “http” or, if “https” is necessary, generate a new SSL key and add it to the agent keystore. A detailed knowledge article, “Action Required by June 18th 2024: FileCatalyst TransferAgent SSL and localhost changes,” is available to guide users through the remediation process.
The severity of this vulnerability (CVSS 7.8) and its potential impact on data security underscore the need for immediate action. Organizations that fail to update their FileCatalyst software promptly leave themselves vulnerable to attacks that could compromise sensitive data and disrupt operations.
