A vulnerabilit has been identified in the FNT Command Software allowing an authenticated attacker to upload files on an arbitrary position due to a directory traversal. Depending on the configuration of the system this could lead to serious security impacts.

Details

• Product: FNT Command
• Affected Versions: <= 13.4.0
• Vulnerability Type: CWE-434: Unrestrictted Upload of File with Dangerous Type
• Risk Level: High
• Vendor URL: https://www.fntsoftware.com/
• Vendor acknowledged vulnerability: Yes
• Vendor Status: Fixed
• CVE: CVE-2024-44599

Impact

The FNT Command Software does not properly check for manipulated file names. Due to missing file checks an authenticated attacker is able to upload arbitrary files on the system. Depending on the configuration of the system, an attacker is able to compromise the system.

References

• National Vulnerability Database CVE-2024-44599

Timeline

• 2024-09: Vulnerability reported to the vendor.
• 2024-10: Vendor published a fix for the issue.
• 2025-04: Information about the vulnerability is published.

Credits

• Bastian Recktenwald (Bastian.Recktenwald@ZeroBreach.de)