CVE-2024-23692

unknown KEV

Published 2024-07-09 · Modified 2024-07-09

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS v4 NEW

—

not yet in upstream

VIR risk

2.5

Description

Rejetto HTTP File Server contains an improper neutralization of special elements used in a template engine vulnerability. This allows a remote, unauthenticated attacker to execute commands on the affected system by sending a specially crafted HTTP request.

CISA KEV

Vendor: Rejetto
Product: HTTP File Server
Due date: 2024-07-30

Predictions

Exploit likelihood

99%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

{Vendor advisory: cisa-kev — The patched Rejetto HTTP File Server (HFS) is version 3: https://github.com/rejetto/hfs?tab=readme-ov-file#installation, https://www.rejetto.com/hfs/ ; https://nvd.nist.gov/vuln/detail/CVE-2024-23692}

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-52102 webapps typescript

VeryLazyTech · 2025-03-28

Rejetto HTTP File Server 2.3m - Remote Code Execution (RCE)

Source code queued for fetch — refresh in a moment.

Metasploit modules

exploit_windows/http/rejetto_hfs_rce_cve_2024_23692 rank 600

Rejetto HTTP File Server (HFS) Unauthenticated Remote Code Execution

Source code queued for fetch — refresh in a moment.

References

The patched Rejetto HTTP File Server (HFS) is version 3: https://github.com/rejetto/hfs?tab=readme-ov-file#installation, https://www.rejetto.com/hfs/ ; https://nvd.nist.gov/vuln/detail/CVE-2024-23692

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.