CVE-2026-61500 — Rejetto HFS < 3.2.1: predictable session-signing PRNG lets an unauthenticated attacker forge admin sessions to RCE (CVSS 9.3)
VulnCheck disclosed a six-CVE chain in Rejetto HFS (HTTP File Server) 3.0.0 through 3.2.0, all fixed in 3.2.1 on 2026-07-13 (VulnCheck, 2026-07-13). The headline flaw, CVE-2026-61500 (CVSS 4.0 9.3, CWE-338 weak PRNG), derives the session-cookie signing key from JavaScript's non-cryptographic Math.random() and leaks outputs of that same generator to unauthenticated clients on the login endpoint; an attacker who collects a small number of login responses can reconstruct the generator's internal state, recover the signing key and forge a valid administrator session cookie — reaching full admin access and code execution through HFS's built-in server_code configuration feature (arbitrary server-side script), with no authentication or user interaction (VulnCheck, 2026-07-13). Five companion bugs, all verified on NVD and fixed in the same 3.2.1 release, lower the bar further: unauthenticated username enumeration including the default admin account (CVE-2026-61503), state-changing admin actions accepted over GET with no anti-CSRF check (CVE-2026-61502), stored XSS rendered when an admin views the log via a crafted failed-login username (CVE-2026-61501) and via unescaped filenames in the fallback "basic" listing reachable by anonymous uploaders (CVE-2026-61504), and a lang-parameter path traversal limited to reading specific JSON files outside shared folders (CVE-2026-61505). No in-the-wild exploitation of this 3.x chain has been reported yet; the risk is the standard one for a pre-auth, unauthenticated-RCE flaw in internet-facing file-sharing software whose patch is already public — once the forge-the-cookie technique is understood, an exposed instance is a low-effort opportunistic target.
Rejetto HFS 3.0.0 through 3.2.0 derives its session-cookie signing key from the non-cryptographic Math.random() generator and discloses outputs of the same generator to unauthenticated clients during login.
A remote attacker can collect a small number of login responses, reconstruct the generator's state, recover the signing key, and forge a valid administrator session cookie, leading to full administrative access and remote code execution via the server_code configuration feature.
Defender actions
- Upgrade any internet-exposed Rejetto HFS to 3.2.1; where an immediate upgrade is not possible, take the admin interface off the public internet and disable the server_code feature — it is the code-execution sink the forged-session chain reaches.
ATT&CK mapping
2 techniques mapped from the cited reporting · MITRE ATT&CK v19.1
Initial Access TA0001
T1190Exploit Public-Facing Application
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.
Execution TA0002
T1059Command and Scripting Interpreter
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell.
AI-generated · no human review · this permalink is the shareable record for the finding · verify operationally critical claims against the linked primary source.