A critical flaw in Rejetto HFS (3.0.0–3.2.0) lets unauthenticated remote attackers forge administrator session cookies and achieve remote code execution by exploiting a session key derived from a non-cryptographic random generator.
What Is It
CVE-2026-61500 is a cryptographic weakness (CWE-338, use of a cryptographically weak pseudo-random number generator) in the Rejetto HFS file server. HFS derives its session-cookie signing key from the non-cryptographic Math.random() generator, and it discloses outputs of that same generator to unauthenticated clients during login. By collecting a small number of login responses, an attacker can reconstruct the generator's internal state, recover the signing key, and forge a valid administrator session cookie. The issue carries a CVSS 3.1 base score of 9.8 (CRITICAL) and a CVSS 4.0 score of 9.3.
Why It Matters
Exploitation requires no authentication, no user interaction, and low attack complexity, and is reachable over the network. A successful attack yields full administrative access and remote code execution via the server_code configuration feature—complete compromise of confidentiality, integrity, and availability on the affected host. Because the attack relies only on a handful of observable login responses, it is practical for any remote attacker who can reach the server.
What's Vulnerable
Rejetto HFS versions 3.0.0 through 3.2.0 (all releases prior to 3.2.1) are affected. The vulnerable behavior stems from the session-cookie signing key generation and its exposure of Math.random() outputs during login.
Patch Status
The issue is fixed in Rejetto HFS v3.2.1. Administrators running any version from 3.0.0 through 3.2.0 should upgrade to 3.2.1 or later. No CISA KEV entry confirming active exploitation was supplied for this CVE; there is no indication of confirmed in-the-wild exploitation in the provided source material.