> About Author
Hi, I'm Sharon, a product manager at Chaitin Tech. We build SafeLine, an open-source Web Application Firewall built for real-world threats. While SafeLine focuses on HTTP-layer protection, our emergency response center monitors and responds to RCE and authentication vulnerabilities across the stack to help developers stay safe.
In December 2023, a critical Remote Code Execution (RCE) vulnerability in eSafeNet Electronic Document Security Management System was publicly disclosed. This vulnerability, which requires no prior authentication, puts sensitive enterprise data and internal systems at serious risk.
If your organization uses this platform, you should patch it immediately.
What is eSafeNet?
eSafeNet is a widely-used enterprise software that offers document encryption, permission control, and audit logging — all aimed at improving document security and management efficiency.
Vulnerability Overview
Root Cause
The vulnerability stems from insufficient access controls in the backend. By exploiting a file read weakness (e.g., using directory traversal like ../), attackers can retrieve critical files on the server — including credentials.
Once authenticated, the attacker can upload arbitrary files to sensitive locations and execute malicious code remotely.
Exploit Characteristics
- Payloads often contain path traversal patterns like
../ - Targets non-standard 8021 TCP port (default config)
- Exploitable without authentication
- Can lead to full remote code execution
Impact
- RCE Risk: Attackers can execute arbitrary commands or scripts on the target server
- Data Exposure: Sensitive files, configurations, or internal credentials could be leaked
- Ransomware Threats: Uploading and executing ransomware is a potential attack vector
Affected Versions
- All versions <= V5.6.1.109.122
Mitigation & Fixes
Temporary Workarounds
- Restrict Access: Limit 8021 port access to trusted IPs. Avoid exposing it to the public internet.
- Access Control: Strengthen permission policies on server endpoints.
- Log Monitoring: Track and investigate suspicious uploads or path traversal attempts in server logs.
Permanent Fix
- Official patches have been released. Contact eSafeNet support via https://www.esafenet.com to apply the November patch update.
Reproduction & Detection Tools
Remote Scanner (X-POC)
xpoc -r 417 -t http://xpoc.org
Tool repo:
Local Scanner (Muyun)
./yisaitong_rce_ct_1002008_scanner_windows_amd64.exe scan
Tool download:
Product Support Matrix
| Product | Support Details |
|---|---|
| Yuntu | Fingerprint & PoC detection supported |
| Dongjian | Supports custom PoC |
| SafeLine | Detects exploit behavior by default |
| Quanxi | Default detection support |
| Muyun | Patch package EMERVULN-23.12.013 available for versions ≥ 23.05.001 |
Timeline
- Dec 12, 2023: Vulnerability details disclosed online
- Dec 13, 2023: Vulnerability reproduced by Chaitin Research
- Dec 13, 2023: Public advisory published by Chaitin Security Response Center
References
Join the SafeLine Community
If you continue to experience issues, feel free to contact SafeLine support for further assistance.
Top comments (0)