Hackers are attacking a critical RCE flaw in Rejetto HTTP File Server 2.3m

Hackers are actively exploiting a critical remote code execution vulnerability in Rejetto HTTP File Server (HFS) program.

The vulnerability is tracked as CVE-2024-2369 (CVSS score 9.8) and impacts HFS up to and including version 2.3m. It was reported in May 2024 and has since been used by attackers to install malware and take control of vulnerable systems.

The CVE-2024-23692 vulnerability enables attackers to send malicious packets to HFS servers, allowing them to execute commands remotely. Shortly after its disclosure, a proof of concept (PoC) was released, leading to a surge in attacks. The AhnLab Security Intelligence Center (ASEC) has confirmed multiple HFS processes being compromised to install malware (link content in Chinese).

Among the deployed malware, the XMRig crytpo coin miner is the most prevalent. At least four different attackers have been identified using HFS to install coin miners, including a notable group known as LemonDuck. LemonDuck, first identified in 2019, exploits various vulnerabilities to install XMRig and other malicious tools like XenoRAT and vulnerability scanner scripts. Also, injection of various Remote Access Trojans (RATs) and backdoor malware have also been observed.

As of the CVE assignment date (2024-05-31), Rejetto HFS 2.3m is no longer supported. Users are urged to remove the old versions and install a supported version of the software