CVE-2019-17124
published 2019-10-09CVE-2019-17124: Kramer VIAware 2.5.0719.1034 has Incorrect Access Control.
PriorityP267critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
23.12%
97.5th percentile
Kramer VIAware 2.5.0719.1034 has Incorrect Access Control.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| kramerav | viaware | <= 2021-08 | — |
| kramerav | viaware | — | — |
| msrc | microsoft_365_apps_for_enterprise_for_32-bit_systems | — | — |
| msrc | microsoft_365_apps_for_enterprise_for_64-bit_systems | — | — |
| msrc | microsoft_office_2019_for_32-bit_editions | — | — |
| msrc | microsoft_office_2019_for_64-bit_editions | — | — |
| msrc | microsoft_office_2019_for_mac | — | — |
| msrc | microsoft_powerpoint_2010_service_pack_2 | — | — |
| msrc | microsoft_powerpoint_2013_rt_service_pack_1 | — | — |
| msrc | microsoft_powerpoint_2013_service_pack_1 | — | — |
| msrc | microsoft_powerpoint_2016 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Exploit authenticates to /admin/login.php via POST with form fields 'txtUserId', 'txtPwd', and 'btnOk' — monitor for POST requests to this endpoint, especially from unexpected source IPs or with default/weak credentials. ↗
- →Exploit disables TLS certificate verification (verify=False) when communicating with the target — HTTPS traffic to the admin panel from clients ignoring certificate errors may indicate exploit activity. ↗
- →The exploit uses a specific User-Agent string; monitor for this exact UA string in web server logs targeting Kramer VIAware admin endpoints. ↗
- →After authentication, the exploit calls a 'writeCommand' and 'getResult' function against the host, indicating a web-based command execution interface is abused post-login — monitor for unusual command-like POST/GET parameters on the VIAware admin panel. ↗
- →The CVE is described as Incorrect Access Control on Kramer VIAware 2.5.0719.1034 — patch or restrict access to the admin panel; flag any unauthenticated or low-privilege access to admin functionality. ↗
- ·The exploit was tested specifically on VIAware Go running Windows 10; behavior on other VIAware hardware/OS variants may differ. ↗
- ·The exploit targets only version 2.5.0719.1034; other versions are not confirmed vulnerable by this PoC. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
vendor_msrc7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-595x-pq6p-x7x2: Kramer VIAware 2
ghsa_unreviewed·2022-05-24
CVE-2019-17124 [CRITICAL] CWE-276 GHSA-595x-pq6p-x7x2: Kramer VIAware 2
Kramer VIAware 2.5.0719.1034 has Incorrect Access Control.
GHSA
GHSA-qjp8-q2c4-mpmm: KRAMER VIAware through August 2021 allows remote attackers to execute arbitrary code because ajaxPages/writeBrowseFilePathAjax
ghsa_unreviewed·2022-05-24·CVSS 9.8
CVE-2021-36356 [CRITICAL] CWE-434 GHSA-qjp8-q2c4-mpmm: KRAMER VIAware through August 2021 allows remote attackers to execute arbitrary code because ajaxPages/writeBrowseFilePathAjax
KRAMER VIAware through August 2021 allows remote attackers to execute arbitrary code because ajaxPages/writeBrowseFilePathAjax.php accepts arbitrary executable pathnames (even though browseSystemFiles.php is no longer reachable via the GUI). NOTE: this issue exists because of an incomplete fix for CVE-2019-17124.
VulnCheck
kramerav viaware Unrestricted Upload of File with Dangerous Type
vulncheck·2021·CVSS 9.8
CVE-2021-36356 [CRITICAL] kramerav viaware Unrestricted Upload of File with Dangerous Type
kramerav viaware Unrestricted Upload of File with Dangerous Type
KRAMER VIAware through August 2021 allows remote attackers to execute arbitrary code because ajaxPages/writeBrowseFilePathAjax.php accepts arbitrary executable pathnames (even though browseSystemFiles.php is no longer reachable via the GUI). NOTE: this issue exists because of an incomplete fix for CVE-2019-17124.
Affected: kramerav viaware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://cybersecurity.att.com/blogs/labs-research/rapidly-evolving-iot-malware-enemybot-now-targeting-content-management-system-servers; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/ma
Microsoft
Microsoft PowerPoint Remote Code Execution Vulnerability
vendor_msrc·2020-12-08·CVSS 7.8
CVE-2020-17124 [HIGH] Microsoft PowerPoint Remote Code Execution Vulnerability
Microsoft PowerPoint Remote Code Execution Vulnerability
FAQ: Is the Preview Pane an attack vector for this vulnerability?
No, the Preview Pane is not an attack vector.
FAQ: Are the updates for the Microsoft Office 2019 for Mac currently available?
The security update for Microsoft Office 2019 for Mac is not immediately available. The update will be released as soon as possible, and when it is available, customers will be notified via a revision to this CVE information.
Microsoft Office: Microsoft Office
Microsoft: Microsoft
Customer Action Required: Yes
Impact: Remote Code Execution
Exploit Status: Publicly Disclosed:No;Exploited:No;Latest Software Release:Exploitation Less Likely;Older Software Release:Exploitation Less Likely
Remediation: Click to Run
Reference: https://docs.mi
No detection rules found.
No writeups or analysis indexed.
2019-10-09
Published