Skip to main content
Mallory
Back to vulnerabilities
HighCISA KEVExploited in the wildPublic exploit

Arbitrary File Upload and Execution in Versa Director GUI

IdentifiersCVE-2024-39717CWE-434· Unrestricted Upload of File with…

CVE-2024-39717 affects the Versa Director GUI customization feature used to change the interface look and feel. According to the provided content, the vulnerable functionality is the “Change Favicon” option, which can be abused to upload a malicious file that merely ends with a .png extension and masquerades as an image. The issue is reachable only after successful authentication to the GUI by a user with Provider-Data-Center-Admin or Provider-Data-Center-System-Admin privileges; tenant-level users do not have access to this feature. The supplied context further states that this vulnerability was exploited in the wild for initial access and code execution on Versa Director servers, including deployment of the VersaMem web shell and credential interception from compromised devices. Based on the described behavior, this is an unrestricted or insufficiently validated file upload condition in an administrative web interface that can lead to server-side execution of attacker-supplied content.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can allow an authenticated administrative user, or an attacker who has obtained such credentials, to upload a malicious file disguised as a PNG and achieve code execution on the Versa Director server. The provided context indicates real-world exploitation for initial access and execution, followed by deployment of the VersaMem web shell, HTTPS-based command and control, and interception/harvesting of credentials from user logins to compromised devices. Impact therefore includes full compromise of the management plane, persistence via web shell installation, credential theft, and potential follow-on access to managed infrastructure.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, limit exposure of the Versa Director GUI to trusted administrative networks only, disable or tightly restrict access to the customization/upload functionality where feasible, and reduce the number of accounts holding Provider-Data-Center-Admin or Provider-Data-Center-System-Admin privileges. Enforce MFA for privileged access, monitor for suspicious file uploads via the favicon feature, inspect the web root and related upload paths for non-image content masquerading as PNG files, and hunt for web shells and anomalous outbound HTTPS communications from the Director server. Because exploitation requires authenticated privileged access, rapid credential rotation and review of privileged account activity are also important interim controls.

Remediation

Patch, then assume compromise.

Apply the vendor-provided fixes for CVE-2024-39717 in affected Versa Director versions. Because the issue is tied to the GUI favicon upload capability, remediation should include enforcing strict server-side validation of uploaded content, restricting accepted file types to verified image formats, preventing executable content from being stored in web-accessible executable locations, and ensuring uploaded files cannot be interpreted as active server-side code. Given the provided evidence of in-the-wild exploitation, organizations should also review Versa Director systems for indicators of compromise, including unauthorized files uploaded through the GUI, presence of the VersaMem web shell, anomalous HTTPS sessions, and signs of credential interception.
PUBLIC EXPLOITS

Exploits

No valid public exploits. Mallory filtered out 1 candidate as fakes, detection scripts, or README-only repos.

VALID 0 / 1 TOTALView more in app

All candidate exploits were filtered out by Mallory's validation.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
Versa-NetworksVersa Directorapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

11 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

11 SOURCESView more in app
+6 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence4

Every observed campaign linking this CVE to a named adversary.

Associated malware3

Malware families riding this exploit, with evidence and IOCs.

Detection signatures1

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity1

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2024-39717
NVD
nvd.nist.gov/vuln/detail/CVE-2024-39717
MITRE CWE · CWE-434
Unrestricted Upload of File with Dangerous Type
Vendor Advisory
versa-networks.com/blog/versa-security-bulletin-update-on-cve-2024-39717-versa-director-dangerous-file-type-upload-vulnerability
US Government Resource
cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-39717