Task 1 of 4

How Hackers Took Full Control of a Hospital Network

In 2020, a ransomware group gained initial access to a US hospital network through a simple file upload vulnerability on an internet-facing web application. They uploaded a webshell — a malicious script disguised as an image — through a form that accepted profile pictures. From that foothold, they moved laterally through the network, deployed ransomware across hundreds of machines, and demanded $1.3 million. The hospital had to divert patients and operate on paper records for weeks.

File upload vulnerabilities are particularly dangerous because they do not just expose data — they give attackers execution capability on the server. That is a completely different category of impact.

THE IMPACT LADDER — WHAT AN ATTACKER CAN DO WITH A WEBSHELL
Read any file on the server
Configuration files, database passwords, source code, private keys — everything readable by the web server process
Write files anywhere
Drop new backdoors, modify existing files, deface the site, plant malware
Execute operating system commands
Run any command — create users, install software, scan the internal network
Connect to databases
Query the database directly — extract all records, modify data, drop tables
Pivot to internal network
The server is inside the firewall — use it as a launching point to attack internal systems
Deploy ransomware
Encrypt all accessible files and demand payment — the endgame for many hospital attacks

Why "profile picture" fields get targeted

File upload features are everywhere and developers often focus on the happy path — they think about what happens when a user uploads a valid image. They do not always think about what happens when someone uploads something else entirely. The attacker's job is to think about exactly that.

1

Why is a file upload vulnerability considered higher impact than, for example, an information disclosure vulnerability?

Answer all 1 question to continue