Two critical command injection vulnerabilities in Fujitsu cloud storage system allow remote encryption or deletion of files

Eli Cyber Security
2 min readJun 10, 2022

Two bugs in the web interface of a cloud storage system would allow authenticated threat actors to read, write, and even destroy backed up files. According to the report, these flaws reside in the enterprise-grade Fujitsu Eternus CS800 V8.1 solution.

These problems were found by researchers at NCC Group, who mention that the flaws exist due to the lack of user input validation in two PHP scripts. Vulnerabilities include a command injection in and a command injection in , and their successful exploitation would allow actors to execute remote code threats without authentication.

Because there are no protections during inclusion, threat actors could activate the script without prior authentication by calling it directly. This would allow them to take control of the device as if they had logged in directly through a secure shell.

According to experts, successful exploitation allows hackers to obtain limited user privileges on the machine as a ‘www-data’ user; however, it should be noted that the Kernel on the system that NCC Group found is very outdated, allowing hackers to escalate their privileges to the system’s administrative root user.

Researchers at NCC Group discovered these problems while applying pentesting to a customer’s systems. These findings were reported to Fujitsu, which addressed the flaws shortly thereafter and notified its users that no active exploitation attempts had been detected, plus there do not appear to be proof-of-concept (PoC) exploits for these attacks.

Although hacking attempts are unlikely to occur, users are advised to upgrade to the latest version of the software to mitigate the risks related to these flaws.

Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, and information technologies.

Originally published at on June 10, 2022.