Critical Flaws Disclosed in Device42 IT Asset Management Software
Aug 11, 2022
Cybersecurity researchers have disclosed multiple severe security vulnerabilities asset management platform Device42 that, if successfully exploited, could enable a malicious actor to seize control of affected systems. "By exploiting these issues, an attacker could impersonate other users, obtain admin-level access in the application (by leaking session with an LFI ) or obtain full access to the appliance files and database (through remote code execution)," Bitdefender said in a Wednesday report. Even more concerningly, an adversary with any level of access within the host network could daisy-chain three of the flaws to bypass authentication protections and achieve remote code execution with the highest privileges. The issues in question are listed below - CVE-2022-1399 - Remote Code Execution in scheduled tasks component CVE-2022-1400 - Hard-coded encryption key IV in Exago WebReportsApi.dll CVE 2022-1401 - Insufficient validation of provided paths in Exago