CVE-2024-12087 is a medium-severity path traversal vulnerability in the widely used file synchronization tool rsync. The root cause lies in the --inc-recursive option, which is enabled by default for many client options and can also be enabled by the server independently of the client’s explicit choice. This option facilitates incremental recursive transfers but fails to properly verify symbolic links during the synchronization process. Additionally, deduplication checks are performed on a per-file-list basis rather than globally, which can be exploited by a malicious rsync server. Specifically, an attacker controlling the server can craft file lists and symbolic links that cause rsync running on the client to write files outside the intended destination directory on the client system. This allows the server to place arbitrary files in arbitrary locations on the client machine, potentially overwriting or injecting malicious files into sensitive directories. Exploitation requires the client to initiate a connection and interact with the server, but no prior authentication or elevated privileges are necessary on the client side. The vulnerability impacts the integrity of client systems by enabling unauthorized file modifications, but does not directly compromise confidentiality or availability. The CVSS 3.1 score of 6.5 reflects the network attack vector, low attack complexity, no privileges required, but requiring user interaction and limited to integrity impact. No known exploits are currently reported in the wild, but the vulnerability is publicly disclosed and should be addressed promptly.

For European organizations, the primary impact is the potential for unauthorized modification of client systems during rsync operations with untrusted or compromised servers. This can lead to the insertion of malicious files, backdoors, or tampering with critical configuration or application files, undermining system integrity. Organizations relying on rsync for backup, file synchronization, or deployment across distributed environments face risks of supply chain or insider threats exploiting this vulnerability. While confidentiality and availability impacts are minimal, integrity breaches can facilitate further attacks such as privilege escalation or lateral movement. The risk is heightened in sectors with extensive use of rsync for automated file transfers, including government, finance, healthcare, and critical infrastructure. The vulnerability could also be leveraged in targeted attacks against European entities by adversaries controlling or compromising rsync servers. Given the default or server-enabled nature of --inc-recursive, many deployments may be unknowingly exposed.

European organizations should immediately audit their rsync usage to identify instances where the --inc-recursive option is enabled, either by client configuration or server policy. Disabling --inc-recursive where not strictly necessary reduces exposure. When incremental recursive transfers are required, ensure that rsync versions are updated to include patches addressing this vulnerability once available. Until patches are applied, restrict rsync server access to trusted entities only and avoid connecting to untrusted or public rsync servers. Implement file system monitoring and integrity verification on client systems to detect unauthorized file writes or modifications. Employ network segmentation and strict firewall rules to limit rsync traffic to known safe endpoints. Additionally, consider using alternative secure file transfer methods that do not exhibit this vulnerability for sensitive data synchronization. Educate system administrators about the risks of this vulnerability and the importance of verifying server trustworthiness before initiating rsync operations.