External risk intelligence

Kreasfero Remote Code Execution via File Upload Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2021-42675

The vulnerability involves improper sanitization of uploaded files within a web application, allowing remote code execution. Web applications with file upload functionality are commonly deployed as internet-facing services.

Unrestricted File Upload

Kreado Kreasfero

1.5

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability impacts Kreasfero's media upload functionality, where improperly handled files can lead to unauthorized code execution on the server. This could potentially expose or compromise system operations.

  • Malicious file uploads can run unwanted code.
  • Critical severity, potential for wide impact.
  • Confirm relevance to Kreasfero media uploads.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this vulnerability by uploading a specially crafted PHP file to the media directory of the affected application. This allows them to execute arbitrary code on the server, leading to a complete compromise of the system.

  • No special access required.
  • Upload malicious file to media directory.
  • Remote code execution.

Live Threat

Current exploitation, exposure, and threat context

When supported by the advisory, this vulnerability could allow an unauthenticated attacker to upload a malicious PHP file to the media directory, potentially leading to remote code execution.

  • Malicious PHP files could be uploaded.
  • File uploads to the media directory are the vector.
  • Remote code execution is a potential outcome.

Operational Fix

Recommended remediation, mitigation, and detection steps

Responsible teams must first locate all instances of Kreasfero, determine their exposure and business criticality, and identify the accountable application or platform owner to prioritize remediation efforts.

  • Identify affected Kreasfero instances.
  • Verify public reachability and business impact.
  • Coordinate with application owners for remediation.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Kreado Kreasfero?

Kreasfero is a software application designed for web-based content management. It includes specific features for handling media files, allowing users to upload and store images or documents in a dedicated media directory as part of its standard functional workflow.

What does CWE-434 mean for CVE-2021-42675?

CWE-434 refers to Unrestricted Upload of File with Dangerous Type. In this CVE, the application fails to adequately inspect or filter the files being uploaded. This weakness allows an attacker to bypass intended security boundaries by submitting executable code disguised as a regular media file, which the server then incorrectly processes.

How is the malicious file trigger activated?

An attacker triggers this vulnerability by sending a crafted PHP file directly to the application's media directory. It is important to note that the vulnerability does not require the attacker to have existing credentials or special user permissions; the flaw exists because the software accepts the file upload without validating its content or extension.

Is my Kreasfero instance at risk?

Halo Surface Signal indicates this vulnerability is most relevant to deployments where the application is accessible from the internet. Because file upload features are typically exposed to support external users, any instance reachable via the public web should be considered a potential target for remote code execution.

How do I start securing my environment?

Begin by creating a comprehensive inventory of all Kreasfero installations currently running in your environment. Once identified, work with the relevant application owners to assess their specific network placement and prioritize them for updates or security configuration changes before proceeding with deeper remediation.

References