Arbitrary File Upload Vulnerability in Redsea Cloud eHR
CVE-2024-14037
Key Information:
- Status
- Vendor
- CVE Published:
- 2 July 2026
Badges
What is CVE-2024-14037?
Redsea Cloud eHR is affected by an arbitrary file upload vulnerability that permits unauthenticated attackers to execute remote code. By exploiting the PtFjk.mob servlet endpoint, attackers can submit multipart POST requests containing malicious files disguised as image/jpeg, thereby circumventing the lack of proper extension and MIME type validation. The malicious files are stored in a predictable directory, making them directly executable by the web server. This vulnerability highlights significant security risks associated with insufficient input validation in web applications.
Affected Version(s)
Red Sea Cloud eHR *
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
CVSS V4
Timeline
- ๐ก
Public PoC available
- ๐พ
Exploit known to exist
Vulnerability published
Vulnerability Reserved
