Rejetto HTTP File Server SSTI RCE (CVE-2024-23692)
Description
Rejetto HTTP File Server (HFS) versions 2.3m and earlier contain a Server-Side Template Injection (SSTI) vulnerability that allows remote code execution. An unauthenticated attacker can exploit this flaw by sending a malicious HTTP request containing specially crafted template syntax, which the server processes and executes as system commands. This vulnerability poses a critical risk to any publicly accessible HFS instance running affected versions.
Remediation
Immediately migrate to HFS version 3.x, as the vendor has declared the 2.x branch End-of-Life and no longer provides security updates for it. HFS 3 is a complete rewrite that addresses this and other security issues. Download the latest HFS 3 release from the official Rejetto website (https://www.rejetto.com/hfs/). If immediate migration is not feasible, implement compensating controls such as restricting network access to the HFS service using firewall rules to allow only trusted IP addresses, placing the service behind a reverse proxy with request filtering, or temporarily shutting down the service until migration can be completed. Do not attempt to patch or modify HFS 2.x as it is no longer supported.