Rejetto HTTP File Server Exploited To Drop Malware CVE-2024-23692

Attackers have been found exploiting CVE-2024-23692 a template injection vulnerability in the Rejetto HTTP File Server software. This vulnerability enables remote unauthenticated attackers to execute arbitrary commands on the affected system via specially crafted HTTP requests. Following the public disclosure of the vulnerability a proof-of-concept (PoC) was also released. After initial infiltration the attackers gathered system information using commands such as whoami and arp. Subsequently they created hidden backdoor accounts to facilitate malware installation and remote desktop access. In many instances the HTTP File Server (HFS) was terminated by the attackers to prevent exploitation by others. Based on the malware and commands employed it is believed that most of these attacks were carried out by Chinese-speaking threat actors. Successful infections resulted in systems being compromised with various malware including XMRig XenoRAT Gh0stRAT PlugX Cobalt Strike Netcat and GoThief.