Date of Disclosure: October 22, 2024
CVE-2024-46483 is an integer overflow vulnerability in the packet parsing logic of the Xlight SFTP server, which can lead to a heap overflow with attacker-controlled content. The vulnerability is currently awaiting analysis from NVD, but an existing proof of concept is available on GitHub, raising the likelihood that we will observe exploitation of this vulnerability.
Xlight FTP Server is a lightweight FTP (File Transfer Protocol) server designed primarily for Windows platforms for centralized file sharing and management. Typically, businesses or organizations use FTP servers like Xlight to manage files securely, automate backups, or facilitate data exchanges between departments.
Xlight FTP Server is accessible over the public internet, but typically requires specific configurations to ensure security. Exposed instances of Xlight FTP Server without proper safeguards can increase the risk of exploitation. Users of Xlight FTP Server versions <= 3.9.4.2 are urged to update to the latest version immediately. Note the following key distinction between the 32-bit and 64-bit versions of Xlight:
- 32-bit Versions: Attackers can overwrite critical data structures on the heap, potentially leading to code execution.
- 64-bit Versions: While code execution is less likely on 64-bit systems, the vulnerability still allows for crashes, resulting in denial of service.
Organizations with public-facing Xlight FTP Server instances should check for indicators of compromise as soon as possible. See the provided Censys queries below to help track exposures. It’s recommended to avoid the exposure of network device admin portals on the public internet.
| Field |
Details |
| CVE-ID |
CVE-2024-46483 – CVSS 9.8 (Critical) assigned by CISA-ADP |
| Vulnerability Description |
Integer overflow vulnerability in the packet parsing logic of the SFTP server, which can lead to a heap overflow with attacker-controlled content. |
| Date of Disclosure |
October 22, 2024 |
| Affected Assets |
Xlight FTP Server – particularly the 32-bit version |
| Vulnerable Software Versions |
<3.9.4.3 |
| PoC Available? |
Yes, a PoC is available on GitHub |
| Exploitation Status |
At the time of writing, active exploitation of this vulnerability was not reported by CISA or Greynoise. |
| Patch Status |
Users of Xlight versions 3.9.4.2 and earlier are strongly urged to update to the latest version immediately. The vendor has addressed this vulnerability in subsequent releases. |
Censys Perspective
At the time of writing, Censys observed 3,520 exposed Xlight FTP Servers online, with about 32% concentrated in China. Censys observed about 9% of the exposed instances to be associated with Alibaba Cloud (ASN 37963).
Roughly half of these exposed servers were publicly leaking their versions, and we discovered that 45% of all exposures showed indications of running a vulnerable version (anything below 3.9.4.3).
| Vulnerable? |
Hosts |
Proportion of Total |
| UNKNOWN |
1885 |
53.55% |
| FALSE |
40 |
1.14% |
| TRUE |
1595 |
45.31% |
| Total |
3520 |
100.00% |
We only observed 40 servers running versions 3.9.4.3 or newer.
Map of exposed Xlight FTP Server instances:
To identify all exposed Xlight FTP Server instances on your network regardless of version, the following Censys queries can be used:
Censys Search Query:
services.ftp.banner:"Xlight" OR services.banner:"*xlight*ftp*" OR services.ssh.endpoint_id.raw:"*Xlight FTP*" OR services.banner:"*xlight*server"
Censys ASM Query:
host.services.ftp.banner:"Xlight" or host.services.banner:"*xlight*ftp*" or host.services.ssh.endpoint_id.raw:"*Xlight FTP*" or host.services.banner:"*xlight*server"
References
