cythera-logo-darkmode
Are you experiencing a security incident?
Incident Response
Assess & Improve
Detect & Respond
Protect & Secure
Advise & Empower
Resources
Case Studies
Real-world examples
Articles
In-depth insights
Advisories
Newly discovered threats
About us
Leadership Team
Meet the experts
Events
Join upcoming events
Award & Certifications
Industry recognitions
Vendor Partners
Trusted vendors
Talk to an expert
Service Category
Services
Popular Services
Employee Cyber Training & Awareness
Train smart and stay secure
Advisory
Secure smarter with strategic security advisory
Managed Protection
Always-on protection. Smarter security
Security Architecture
Security that drives real results, cloud to full stack
Digital Forensics & Incident Response
DFIR experts, ready when you need them.
Cyber Threat Intelligence
Real time insights from Cassini CTI
Managed Detection & Response
Our experts watch, so you don’t have to.
Certification & Accreditation
Get certified with ease
Audit & Assurance
Audits you trust. Assurance that drives action.
Governance, Risk & Compliance
Simplfy compliance, strengthen protection
Cyber Maturity Assessments
Level up your cyber security game
Penetration Testing
Penetration testing that spots weaknesses
Case Studies
    
Articles
    
Advisories
    
Web Filter, CASB & DLP (Cloud Access Security Broker & Data Loss Prevention)
Web Application Penetration Testing
Vulnerability Management
Vulnerability Assessment
vITSM
Virtual Security Architect (vSecArch)
vCISO
System Security Plan
System Architecture, Design & Implementation
Strategic Security Consulting
SWIFT CSCF
Specialist Testing
Source Code Review
Social Engineering & Phishing
Security Policy and Standard Development
Security Incident Response Testing
Security Awareness Training
Secure Access Service Edge (SASE)
Risk Management
Risk Assessment
Red Teaming
Purple Teaming
NIST CSF Maturity Uplift
Payment Card Industry (PCI)
OT/SCADA Network Penetration Test
NIST CSF Assessment
ISO 27001
Internal Penetration Testing
Incident Response Tabletop Exercise
Incident Response
Forensics
External Penetration Testing
Executive & Board Reporting
Executive and Board Security Governance Training
Essential Eight Assessment
Endpoint Protection
Email Security
DevSecOps Review & Implementation
Denial of Service (DoS) Testing
Design Reviews
Dark Web Monitoring
Controls Validation Audit
Continuous Certification
Compliance Programme Management
Configuration Reviews
Cloud Security Configuration
Cloud Posture & Security
CIS Critical Controls Assessment
Automated Patch Management
CI/CD Health Check
Artificial Intelligence (AI) Penetration Test
All of Government Marketplace
Advanced OSINT Training Course
Application Penetration Tests
NIST CSF Assessment
ISO 27001
Internal Penetration Testing
External Penetration Testing
Essential Eight Assessment
Denial of Service (DoS) Testing
Dark Web Monitoring
cythera-logo-darkmode
Advise & Empower
Explore Solutions
Protect & Secure
Explore Solutions
Detect & Respond
Explore Solutions
Assess & Improve
Explore Solutions
Resources
Articles
Advisories
About Us
Explore Bastion
Leadership Team
Events
Award & Certifications
Our Community
Vendor Partners
Employee Cyber Training & Awareness
Advisory
Managed Protection
Security Architecture
Digital Forensics & Incident Response
Cyber Threat Intelligence
Managed Detection & Response
Certification & Accreditation
Audit & Assurance
Governance, Risk & Compliance
Cyber Maturity Assessments
Penetration Testing
Popular Services
NIST CSF Assessment
ISO 27001
Internal Penetration Testing
Incident Response
Talk to an expert
Resources
About Us
Advisories
>
Accellion Kiteworks — Privilege Escalation Vulnerability
Cythera Cyber Security

Accellion Kiteworks — Privilege Escalation Vulnerability

An authenticated privilege escalation flaw in the Accellion Kiteworks platform allows a malicious admin user to gain shell access with root privileges through the web interface.
Talk to an expert

Introduction

As part of a security review of Accellion’s kiteworks platform, Cythera examined both a standalone virtual machine instance and a client’s pre-production environment. During testing, multiple chained vulnerabilities were uncovered that could allow a malicious web administrator to escalate privileges and gain root SSH access to the host server. These issues were addressed in version 7.3.1-ng9, released publicly on 4 March 2021.

What is kiteworks?

Kiteworks is a secure enterprise file-sharing solution developed by Accellion. It enables both internal and external users to access, share, sync, and collaborate on files from various content repositories, using any device. The platform integrates with corporate data sources and provides secure access across endpoints and environments.

Vulnerability Hunting

Researchers began by examining a Kiteworks virtual machine file, which they mounted easily. This provided access to the platform's source code, which helped streamline vulnerability analysis.

Inside the image, several components were identified:

  • A PHP-based public-facing website
  • An internal Python API running with Gunicorn
  • An external PHP API
  • MySQL and MongoDB databases
  • A Python command-line tool used across the platform

The team focused first on the website, which appeared to be the most accessible route for identifying flaws.

Gaining SSH Access

Kiteworks includes a feature in the admin interface allowing “Remote Management over SSH” for support use. The admin enables this function and shares a generated management password. However, this password alone doesn’t grant SSH access.

By examining the source code, researchers found that the real SSH password is a combination of two values:

  • A randomly generated phase (usually the first 10 characters of the password)
  • The first 10 hexadecimal characters of a license file’s digital signature

Another secret called filex_key, stored inside the license, was also required. It could be extracted by decoding the license using base64, then decrypting it using AES-128-CBC with a static key. Once the phase and filex_key were known, generating the valid SSH password was simply a matter of applying a SHA-1 hash.

This enabled successful login via SSH as the system user prometheus.

Forging a License (No Original Required)

If the original license wasn't available, the researchers found a way to bypass license verification and generate a valid but fake one.

The vulnerability stemmed from poor validation logic in the license verification process. Although the system defaulted to using strong public-key cryptography for version 2 licenses, inserting a secondary version indicator (version 1) in the JSON structure forced it into legacy SHA-512 hash-based verification.

This weaker validation allowed a crafted license to pass checks if it matched a calculated hash, despite not being signed with the proper private key.

Uploading such a forged license gave the attacker full control over:

  • The phase used in SSH password generation
  • The filex_key
  • The license expiry date (which could be set to never expire.
  • This enabled SSH access to the appliance.

Privilege Escalation from prometheus to root

Once inside as prometheus, the researchers found that this user could run a Python script as root using sudo. The script (admin.py) lived in a folder symlinked from the user’s home directory.

By renaming the directory and replacing it with their own that contained a symlink to /bin/bash (while keeping the same script name), they could trick the system into running a root shell.

Executing the command elevated their access to full root privileges, achieving complete compromise of the system.

Recommended Fixes

Upgrade Kiteworks to version 7.3.1-ng9 or later

Disable external SSH access to the appliance by blocking port 22

Harden sudo configurations to restrict binary paths and symlink-based bypasses

Summary

  • The license verification process could be manipulated to forge a valid license, enabling attackers to gain SSH access
  • Once inside, a weak sudo policy allowed trivial escalation from prometheus to root
  • Combined, these issues create a critical post-authentication attack path

CIO
Government Agency
Cythera operates as an extension of our team. When we call there is an immediate response and the person that answers our call is the person that resolves our issue. Cythera understands our network, and more importantly, has taken the time to understand our business. We find it easy to work with Cythera. They are approachable, flexible and have taken the time to build deep relationships with our team. It is a partnership and friendship. Cythera’s personalised, highly specialised services makes all the difference. We would recommend Cythera to anyone in the industry looking for a managed services partner.
Expert methods

We have the tools to pinpoint risks

Whether it’s hidden vulnerabilities or patterns you might miss, we help you stay one step ahead and make confident, informed decisions. Understand how our services can help your business uncover critical risks

Talk to an expert
Employee Cyber Training & Awareness
Your people are your first line of defence. Our cyber training builds awareness sharpens instincts and turns everyday staff into assets.
Advisory
When clarity is critical and stakes are high, our advisory services deliver strategic, executive-level security expertise that empowers decision-making and resilient operations.
Advise & Empower
Protect & Secure
Detect & Respond
Assess & Improve
Back to top
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Dark
Resources
Case StudiesArticlesAdvisoriesOur ISO 27001 Certificate
About UsLeadership TeamEventsAwards & CertificationsOur CommunityVendor Partnership
Are you experiencing a security breach?
Incident Response
1300 298 437
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
© Copyright 2025. All rights reserved