Google Cloud and other independent security researchers announced on January 14, 2025, that they had uncovered six vulnerabilities in the popular rsync (remote sync) file-synchronizing tool. 

The most severe vulnerability found, CVE-2024-12084 (CVSS 9.8), allows a threat actor to exploit a buffer overflow flaw in the rsync daemon. When combined with CVE-2024-12085, these vulnerabilities can lead to remote code execution and system compromise. No proof of concept has been released yet, and there hasn’t been documented proof of active exploits.

What is the concern?

Rsync is an open-source incremental file transfer tool that has existed since the 1990s. It is typically found on Unix-like operating systems and is used mainly for backups and restoration operations.

Rsync is a commonly used file synchronization utility, present on over 660,000 systems exposed to the internet. Many backup programs, such as Rclone, DeltaCopy, and ChronoSync, use rsync as their backend software for file synchronization.

Because rsync can be used remotely, it is vulnerable to potential remote exploitation by threat actors. Depending on the defined system privileges, an attacker could then execute further malicious acts, including installing programs or deleting data.

Because rsync can be used remotely, it is vulnerable to potential remote exploitation by threat actors. Depending on the defined system privileges, an attacker could then execute further malicious acts, including installing programs or deleting data.

Based on the information available on this vulnerability, the Coalition Exploit Scoring System has ranked its exploit availability as high (67.58%) but its exploit usage as low (35.12%). These scores mean there is a likely chance that an exploit will be available in the future, but it’s less likely that an exploit will be weaponized. Because there is a lot of social media discourse on the vulnerability and broader public interest, these could lead to increased threat actor efforts to produce a proof of concept (PoC). 

How do businesses address this?

Organizations should prioritize remediation immediately. To protect their networks from exploitation, businesses should update rsync to version 3.4.0 or greater because that version addresses all six published CVEs.

Businesses are also encouraged to restrict internet access for rsync services. TCP port 873  should be blocked or restricted at the perimeter so servers are not remotely accessible.

How Coalition is responding

Coalition is committed to quickly and efficiently notifying our customers of any vulnerabilities within their networks. On January 21, we proactively notified impacted policyholders about this vulnerability through Coalition Control®, our unified cyber risk management platform. We are continuing to monitor the vulnerabilities as they evolve. 

If you received a security alert for this vulnerability or want to learn more, please see the CERT Coordination Center (CERT/CC) advisory. For any questions or assistance with mitigation, please contact the Coalition Security Support Center at securitysupport@coalitioninc.com.

This blog post is designed to provide general information on the topic presented and is not intended to construe or the rendering of legal or other professional services of any kind. If legal or other professional advice is required, the services of a professional should be sought. The views and opinions expressed as part of this blog post do not necessarily state or reflect those of Coalition. Neither Coalition nor any of its employees make any warranty of any kind, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product or process disclosed. The blog post may include links to other third-party websites. These links are provided as a convenience only. Coalition does not endorse, have control over nor assumes responsibility or liability for the content, privacy policy or practices of any such third-party websites.