Security Advisory: MicroFocus Filr Appliance 3.0 build 4670 (Exposed LDAP Credential)

Swascan Offensive Security Team has identified Information Disclosure vulnerabilities on the digital assets of MicroFocus Filr Appliance 3.0 (build 4670).

The vulnerability was identified during a Penetration Test activity on a customer that exposes the Filr application. Having the administrator credentials available we were able to view, in one of the responses, the LDAP configuration password in clear text. The Technical summary chapter describes all the steps to reproduce this vulnerability.

The patch, released on May 19, 2023, is available. Update your appliance with this most recent release.

Micro Focus (OpenText)

Micro Focus is a global software and IT services company that provides solutions for enterprise applications, hybrid IT management, security, risk management, and analytics. With a diverse portfolio of software products and consulting services, Micro Focus assists organizations in modernizing their IT systems and optimizing business processes. The company serves various industries and has a global presence, helping businesses worldwide with their software and technology needs.

Product description

Filr offers file access and sharing from any device. Users get what they want, and you stay in control of files and security.

Technical summary

Swascan’s Cyber Security Team found an important vulnerability on: MicroFocus Filr Appliance 3.0 build 4670

VulnerabilityCVSSv3.1  Base ScoreCVSSv3.1 Base Vector
LDAP Credential Disclosure7.2 HighAV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

In the following section the technical details about this vulnerability, including evidence and a proof-of-concept.

Exposed LDAP Credential


The web application exposes in clear text, to a user with elevated privileges, the administrator credentials for synchronizing the users present in the Active Directory via LDAP.

A potential attacker having these credentials available could try to access the Domain Controller with maximum privileges and conduct subsequent attacks such as: exfiltration of sensitive data, and deployment of ransomware with subsequent ransom request.

Proof of Concept

After logging in with administrative credentials you have the possibility to access the administration console and view the configuration of the web app including the LDAP configuration as shown below:

Evidence 1 Admin console page

Evidence 2 LDAP configuration page.

As you can see, the password is obfuscated but by intercepting the requests and responses that the application performs, including a POST request to the gwtTeaming.rpc component where the clear credentials can be viewed in the response as shown below:

Evidence 3 Post HTTP Request to component gwtTeaming.rpc

Evidence 4 HTTP response with plaintext password.


The patch, released on May 19, 2023, is available. Update your appliance with this most recent release.

Disclosure Timeline

  • 30/01/2023:  Vulnerabilities discovered
  • 01/03/2023:  Vendor contacted by email
  • 07/03/2023:  Vendor reported the vulnerability to internal team
  • 19/04/2023:  Vendor confirmed the vulnerability management is started fixed
  • 19/05/2023:  Vendor release fixes.
  • 28/06/2023: Security Advisory publication
  • 06/12/2023: CVE issued CVE-2023-32268

Sources and references

Final consideration

Swascan would like to thank MicroFocus for their collaboration in managing the disclosure, for their commitment to ensuring maximum resilience of products and solutions, and for great professionalism demonstrated during all phases of the process.

Qakbot; Black Basta ransomware delivery
Journey into Raccoon's lair

Cyber Incident Swascan Emergency

Contact us for immediate support

The undersigned, as data subject, DECLARES that I have read and understood the content of the privacy policy pursuant to Article 13, GDPR. AGREE to the processing of data in relation to the sending by the Data Controller of commercial and / or promotional communications relating to (i) own products / services, or (ii) products / services offered by third parties.
The consent given may be revoked at any time by contacting the Data Controller at the addresses provided in the aforementioned privacy policy.