CVE-2024-23692

What is Rejetto HTTP File Server?

Rejetto HTTP File Server (HFS) is a lightweight, free file server application for Windows, historically popular for quickly sharing files over a local network or the internet. HFS 2.x has been widely used in home, small business, and hobbyist settings since the 2000s. Despite its age, many instances remain internet-exposed — making it a target for opportunistic mass exploitation. HFS 2.x uses a custom template engine that provides a vulnerability class rarely seen in modern software: server-side template injection directly accessible without authentication.

Overview

CVE-2024-23692 is an improper neutralization of special elements used in a template engine (SSTI, CWE-1336) in Rejetto HTTP File Server version 2.x. HFS 2.x uses a custom template engine to generate web pages; an attacker can inject template language sequences into certain URL parameters that are reflected into the template rendering context, causing arbitrary server-side code execution. No authentication is required. There is no patch for HFS 2.x — the recommended remediation is to replace HFS 2.x with HFS 3 (a complete rewrite that does not share the vulnerable template engine). CISA added it to the KEV catalog in July 2024, confirming exploitation by cryptominer operators and remote access trojan (RAT) deployments.

Affected Versions

Technical Details

The SSTI (CWE-1336) is in HFS 2.x's template engine, which processes template expressions enclosed in {. } delimiters (or % in some contexts). The template engine supports scripting operations including execution of external programs via template functions like {.exec|command.}.

Attack vector: URL parameters submitted to the HFS web interface are incorporated into template rendering contexts without sanitization. By injecting template syntax into a request parameter, an attacker can embed template commands that execute OS commands on the Windows system running HFS.

Example payload:

GET /?search={.exec|cmd.exe /c whoami.} HTTP/1.1

(exact syntax varies by HFS 2.x version)

The server returns the output of the injected command in the response, confirming blind or visible RCE.

Post-exploitation payloads observed:

• XMRig cryptominer: Dropped and executed on the HFS host to mine Monero using the victim's CPU
• Remote access trojans: AsyncRAT, njRAT, and similar Windows RATs for persistent access
• Reverse shells: PowerShell or cmd-based reverse shells calling back to attacker C2

Discovery

CVE-2024-23692 was documented by multiple independent researchers. The template injection behavior in HFS 2.x was a known characteristic of the template engine that was ultimately classified as a security vulnerability when applied to user-controlled input in URL parameters.

Exploitation Context

CISA confirmed active exploitation and added CVE-2024-23692 to the KEV catalog on July 9, 2024. The primary exploitation observed was by financially motivated threat actors deploying cryptominers (particularly XMRig for Monero mining) and remote access tools. Internet-exposed HFS 2.x instances were systematically scanned and exploited. The HFS 2.x install base is large despite the software's age — many small businesses and home users continued running old versions because HFS 2.x required no installation and ran as a portable executable.

Remediation

1. Discontinue use of HFS 2.x immediately — there is no patch available for the 2.x series. The CISA deadline was July 30, 2024.
2. Replace with HFS 3 (available at https://github.com/rejetto/hfs) — HFS 3 is a complete rewrite with a different architecture that does not have the template injection vulnerability.
3. Remove or firewall the HFS 2.x instance from internet access immediately — take it offline until migrated.
4. Audit the Windows host running HFS 2.x for cryptominer processes (check for xmrig.exe, unusual CPU usage) and remote access tools.
5. Review Windows Event Logs and network connections for signs of C2 callbacks or lateral movement originating from the HFS server.
6. Change all passwords for accounts on the compromised host — RATs typically harvest credentials from browsers, email clients, and Windows credential stores.