CVE-2024-14037
Deferred Deferred - Pending Action

Arbitrary File Upload in Redsea Cloud eHR Leading to RCE

Vulnerability report for CVE-2024-14037, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-02

Last updated on: 2026-07-02

Assigner: VulnCheck

Description

Redsea Cloud eHR contains an arbitrary file upload vulnerability that allows unauthenticated attackers to achieve remote code execution by uploading malicious files through the PtFjk.mob servlet endpoint. Attackers can submit a multipart POST request with a JSP webshell disguised using a spoofed image/jpeg Content-Type to bypass the absence of extension and MIME type validation, with the uploaded file stored at a predictable path under the uploadfile directory and executed directly by the web server. Exploitation evidence was first observed by the Shadowserver Foundation on 2024-11-03 (UTC).

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-02
Last Modified
2026-07-02
Generated
2026-07-03
AI Q&A
2026-07-02
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
redsea cloud_ehr *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2024-14037 is an arbitrary file upload vulnerability in Redsea Cloud eHR. It allows unauthenticated attackers to upload malicious files, specifically JSP webshells, through the PtFjk.mob servlet endpoint.

Attackers bypass file extension and MIME type validation by spoofing the Content-Type as image/jpeg in a multipart POST request. The malicious file is stored in a predictable directory and executed directly by the web server, enabling remote code execution.

Impact Analysis

This vulnerability can lead to remote code execution on the affected server without any authentication, allowing attackers to execute arbitrary commands.

Successful exploitation can result in full system compromise, unauthorized access to sensitive data, disruption of services, and potential control over the entire application environment.

Detection Guidance

This vulnerability can be detected by monitoring for suspicious HTTP POST requests to the PtFjk.mob servlet endpoint, especially multipart/form-data uploads containing files with spoofed Content-Type headers such as image/jpeg but containing JSP code.

Detection can include searching web server logs for POST requests to paths like /RedseaPlatform/PtFjk.mob?method=upload or similar endpoints, and checking for uploaded files in the uploadfile directory with unexpected extensions or contents.

Commands to help detect this activity might include:

  • Using grep or similar tools to find suspicious POST requests in web server logs, e.g., `grep 'POST /RedseaPlatform/PtFjk.mob' /var/log/httpd/access_log`
  • Searching for files with JSP content in the uploadfile directory, e.g., `find /path/to/uploadfile -type f -exec grep -l '<%=' {} +`
  • Monitoring network traffic for multipart POST requests with Content-Type spoofing, possibly using tools like Wireshark or tcpdump with filters for HTTP POST and Content-Type headers.
Mitigation Strategies

Immediate mitigation steps include implementing strict validation on uploaded files both on the client and server side.

  • Enforce file type validation by checking file extensions and MIME types to block executable scripts like JSP.
  • Rename uploaded files to prevent execution of malicious scripts.
  • Restrict upload directories from executing files by setting appropriate permissions.
  • Limit file size and use whitelist mechanisms to allow only safe file types.
  • Perform content inspection on uploaded files to detect malicious code.
  • Hide or obfuscate upload paths to reduce predictability.

Additionally, applying any available patches or updates from the vendor is critical to fully remediate the vulnerability.

Compliance Impact

The vulnerability allows unauthenticated attackers to upload arbitrary malicious files and achieve remote code execution on the affected system. This can lead to unauthorized access, data breaches, and potential manipulation or exposure of sensitive personal or health information.

Such security weaknesses can result in non-compliance with common standards and regulations like GDPR and HIPAA, which require organizations to protect personal and health data against unauthorized access and ensure the integrity and confidentiality of such data.

Failure to address this vulnerability could lead to violations of these regulations, potentially resulting in legal penalties, reputational damage, and loss of trust.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2024-14037. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart