External risk intelligence

Rejetto HFS Predictable Session Key Allows Remote Code Execution

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-61500

Rejetto HFS is a file server application designed to facilitate remote file sharing and management. Such software is commonly deployed as an internet-facing service to allow external access to hosted files, making it a likely candidate for public internet exposure.

Remote Code Execution

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory concerns a critical vulnerability in Rejetto HFS file server software that allows an unauthenticated remote attacker to gain full administrative control and execute arbitrary code. The flaw stems from the predictable generation of session security keys, which an attacker can exploit by observing login attempts to reconstruct the key and forge administrative credentials.

  • Predictable security keys enable administrative takeover.
  • Critical flaws can expose sensitive systems.
  • Confirm relevance and assess exposure risks.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this vulnerability by interacting with the login process of Rejetto HFS. By collecting information from a few login attempts, the attacker can determine the server's secret key. This allows them to create a fake administrator session, granting them control over the server and the ability to execute arbitrary code.

  • Unauthenticated network access required.
  • Predictable session key generation exploited.
  • Full administrative access and RCE.

Live Threat

Current exploitation, exposure, and threat context

A remote attacker could exploit this vulnerability to gain administrative access to the server. By observing a small number of login responses, an attacker may be able to reconstruct the session-cookie signing key. This would allow them to forge a valid administrator session cookie, leading to unauthorized administrative control and potentially remote code execution.

  • Server administrative access at risk.
  • Attacker intercepts login responses.
  • Full administrative control and RCE.

Operational Fix

Recommended remediation, mitigation, and detection steps

Attackers can exploit Rejetto HFS by compromising the session-cookie signing key, leading to full administrative access and remote code execution. System owners, application owners, and security teams must collaborate to identify all instances of Rejetto HFS, assess their exposure and business criticality, and plan remediation. The first practical step is to locate all deployed instances, determine their reachability from the internet, confirm ownership, and then prioritize actions based on risk.

  • Application and infrastructure teams own remediation.
  • Verify internet-facing HFS instances.
  • Plan risk-based remediation and vendor coordination.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Rejetto HFS?

Rejetto HFS (HTTP File Server) is a lightweight web server application used to host, share, and manage files remotely over a network. It provides a browser-based interface for users to upload and download files, making it a common choice for organizations or individuals who need to provide quick, web-accessible file storage without configuring complex FTP or cloud infrastructure.

What is the vulnerability behind CVE-2026-61500?

This vulnerability is classified as CWE-338, which involves the use of a cryptographically weak pseudo-random number generator. In Rejetto HFS, the application uses a standard, non-cryptographic generator to create session-signing keys. Because the output of this generator is inadvertently shared with users, an attacker can mathematically predict future keys, allowing them to forge administrator cookies and bypass authentication.

How does an attacker trigger this CVE-2026-61500 flaw?

An attacker triggers this by interacting with the HFS login page as an unauthenticated user. By observing a small sequence of login responses, they can collect enough data to reverse-engineer the internal state of the generator. Note that simply browsing static files or accessing non-login pages is generally insufficient; the attack relies on gathering information specifically exposed during the authentication handshake process.

Is my server at risk if it runs Rejetto HFS?

Yes, if you run an affected version, your server is at significant risk, especially if it is accessible via the internet. According to Halo Surface Signal, Rejetto HFS is frequently deployed as an internet-facing service to facilitate remote file sharing. This public exposure means that any remote actor—not just internal users—can reach the login page and attempt the key reconstruction process to gain full control.

How do I respond to CVE-2026-61500?

The immediate priority is to identify every instance of Rejetto HFS within your infrastructure and confirm its network reachability. Prioritize patching or restricting access to any instances that are internet-facing. Collaborate with your application and security teams to review logs for suspicious authentication patterns and coordinate the deployment of official vendor updates to resolve the insecure key generation process.

References