: Once uploaded, the attacker can execute that file to run arbitrary commands on the server. This grants them the same privileges as the FileCatalyst service, potentially leading to a full system takeover.
The malicious potential of FileCatalyst is not theoretical. Public vulnerability disclosures have demonstrated concrete exploit paths. For instance, (affecting versions prior to 7.2) revealed a critical unauthenticated SQL injection vulnerability in the transferserialized.jsp script. This flaw allowed a remote, unauthenticated attacker to execute arbitrary code on the underlying operating system. In practice, this meant that simply sending a crafted HTTP request to a publicly exposed FileCatalyst web interface could yield a reverse shell, giving the attacker full control of the transfer server. filecatalyst malicious