On 27 August 2024, Fortra published a security advisory regarding a critical credential vulnerability in FileCatalyst Workflow, identified as CVE-2024-6633. FileCatalyst Workflow is a managed file transfer solution used for exchanging large files across networks.
CVE-2024-6633 could allow remote, unauthenticated attackers to access an exposed FileCatalyst Workflow HyperSQL database (HSQLDB), potentially gaining administrator privileges and unauthorised access to confidential data. The internal Workflow HSQLDB is exposed via TCP port 4406 with default product settings, making it highly susceptible to remote access. Once compromised, attackers could use the database credentials to create new admin users, enabling long-term persistence in the system.
Arctic Wolf has not observed any exploitation of this vulnerability. Although the HSQLDB is intended only for installation, has been deprecated, and is not meant for production use, some users may still have FileCatalyst configured to use it instead of an alternative database, making them vulnerable. Threat actors may target this vulnerability in the near future due to its ease of exploitation and the substantial access they could gain by compromising the system.
Recommendations for CVE-2024-6633
Upgrade to Latest Fixed Version
Arctic Wolf strongly recommends that customers upgrade to the latest fixed version.
| Product | Affected Version | Fixed Version |
| Fortra FileCatalyst Workflow | 5.1.6 Build 139 (and earlier) | 5.1.7 or later |
Please follow your organisation’s patching and testing guidelines to avoid any operational impact.
References
Stay up to date with the latest security incidents and trends from Arctic Wolf Labs.
Explore the latest global threats with the 2024 Arctic Wolf Labs Threats Report.
