CVE-2024-23692 CRITICAL

CVE-2024-23692: Rejetto HTTP File Server 2.3m Unauthenticated RCE

Vendor Rejetto
Product HTTP File Server
Weakness CWE-1336
KEV Status Known Exploited
Published May 31, 2024
Last update November 22, 2025

CVSS base score

9.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Rejetto HTTP File Server, up to and including version 2.3m, is vulnerable to a template injection vulnerability. This vulnerability allows a remote, unauthenticated attacker to execute arbitrary commands on the affected system by sending a specially crafted HTTP request. As of the CVE assignment date, Rejetto HFS 2.3m is no longer supported.

CISA mandated remediation

02CISA Required Action

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Key dates

03Disclosure timeline

May 31, 2024 CVE published
November 22, 2025 Record updated