{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/rejetto/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-61500"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["HFS (versions 3.0.0 through 3.2.0)"],"_cs_severities":["critical"],"_cs_tags":["web-vulnerability","rce","session-hijacking"],"_cs_type":"advisory","_cs_vendors":["Rejetto"],"content_html":"\u003cp\u003eCVE-2026-61500 details a critical vulnerability affecting Rejetto HFS, a popular HTTP File Server, specifically versions 3.0.0 through 3.2.0. The vulnerability stems from the application's use of a non-cryptographic \u003ccode\u003eMath.random()\u003c/code\u003e generator to derive its session-cookie signing key. Compounding this issue, outputs from this same predictable generator are inadvertently disclosed to unauthenticated clients during login responses. A sophisticated remote attacker can leverage this weakness by collecting a limited number of login responses, subsequently reconstructing the \u003ccode\u003eMath.random()\u003c/code\u003e generator's internal state. This allows the attacker to recover the session-cookie signing key, forge a valid administrator session cookie, and ultimately gain full administrative access. This administrative control can then be weaponized to achieve remote code execution via the server's \u003ccode\u003eserver_code\u003c/code\u003e configuration feature, posing a severe risk to the compromised system.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA remote attacker identifies a vulnerable Rejetto HFS instance running versions 3.0.0 through 3.2.0.\u003c/li\u003e\n\u003cli\u003eThe attacker makes multiple requests to the HFS login endpoint to collect a sufficient number of \u003ccode\u003eMath.random()\u003c/code\u003e outputs, which are implicitly disclosed in login responses.\u003c/li\u003e\n\u003cli\u003eUsing the collected \u003ccode\u003eMath.random()\u003c/code\u003e outputs, the attacker reconstructs the internal state of the non-cryptographic \u003ccode\u003eMath.random()\u003c/code\u003e generator.\u003c/li\u003e\n\u003cli\u003eFrom the reconstructed generator state, the attacker derives the session-cookie signing key, which is directly dependent on \u003ccode\u003eMath.random()\u003c/code\u003e's output.\u003c/li\u003e\n\u003cli\u003eWith the recovered session-cookie signing key, the attacker forges a valid administrator session cookie.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the forged session cookie to authenticate to the Rejetto HFS instance with full administrative privileges.\u003c/li\u003e\n\u003cli\u003eLeveraging administrative access, the attacker utilizes the \u003ccode\u003eserver_code\u003c/code\u003e configuration feature to inject and execute arbitrary commands or code on the underlying server.\u003c/li\u003e\n\u003cli\u003eThis results in remote code execution on the compromised system, allowing for complete control over the server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-61500 grants an attacker full administrative access to the Rejetto HFS instance. This level of access enables remote code execution on the underlying server, allowing the attacker to completely compromise the system. The consequences can include data exfiltration, deployment of further malicious payloads (e.g., ransomware or cryptominers), establishment of persistence, or use of the compromised server as a pivot point for lateral movement within the network. This vulnerability poses a severe risk, as it permits unauthenticated attackers to gain complete control over the affected server.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-61500 by upgrading Rejetto HFS to a version beyond 3.2.0 as soon as a fix is available, or apply any vendor-provided security updates immediately.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for Rejetto HFS for any unusual patterns of login attempts, especially those preceding unexpected changes to \u003ccode\u003eserver_code\u003c/code\u003e configurations or remote code execution attempts.\u003c/li\u003e\n\u003cli\u003eImplement a Web Application Firewall (WAF) to detect and potentially block anomalous HTTP requests that may indicate exploitation attempts related to session cookie forgery or attempts to manipulate the \u003ccode\u003eserver_code\u003c/code\u003e feature.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-13T18:17:56Z","date_published":"2026-07-13T18:17:56Z","id":"https://feed.craftedsignal.io/briefs/2026-07-rejetto-hfs-session-key/","summary":"A remote attacker can exploit a critical vulnerability, CVE-2026-61500, in Rejetto HFS versions 3.0.0 through 3.2.0 by recovering the session-cookie signing key due to poor randomness, forging an administrator session, and achieving remote code execution.","title":"Rejetto HFS Vulnerability Allows Remote Code Execution via Session Forgery (CVE-2026-61500)","url":"https://feed.craftedsignal.io/briefs/2026-07-rejetto-hfs-session-key/"}],"language":"en","title":"CraftedSignal Threat Feed - Rejetto","version":"https://jsonfeed.org/version/1.1"}