cbcvebase.
CVE-2023-26918
published 2023-04-14

CVE-2023-26918: Diasoft File Replication Pro 7.5.0 allows attackers to escalate privileges by replacing a legitimate file with a Trojan horse that will be executed as…

PriorityP267critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
6.05%
92.5th percentile
Diasoft File Replication Pro 7.5.0 allows attackers to escalate privileges by replacing a legitimate file with a Trojan horse that will be executed as LocalSystem. This occurs because %ProgramFiles%\FileReplicationPro allows Everyone:(F) access.

Affected

1 ranges
VendorProductVersion rangeFixed in
filereplicationprofile_replication_pro

Detection & IOCsextracted from sources · hover to see the quote

pathC:\Program Files\FileReplicationPro
filenameprunsrv.exe
pathC:\Program Files\FileReplicationPro\etc\properties.xml
processprunsrv.exe //RS//frp
  • Detect full-control ACL (Everyone:(F)) on the FileReplicationPro install directory, which is the prerequisite for exploitation. Alert on icacls output or ACL enumeration showing Everyone with (F) on this path.
  • Monitor for unexpected writes or replacements of prunsrv.exe in C:\Program Files\FileReplicationPro\ — a Trojan horse substitution of this binary will execute as LocalSystem via the 'frp' (FRPReplicationServer) Windows service.
  • Monitor for unauthorized modifications to C:\Program Files\FileReplicationPro\etc\properties.xml, which stores the web interface password as SHA-1/Base64. Tampering with this file enables credential reset and unauthorized login.
  • Alert on service control queries (sc qc frp) or enumeration of the 'FRPReplicationServer' service, which may indicate attacker reconnaissance prior to exploitation.
  • ·The vulnerability is specific to version 7.5.0 of File Replication Pro on Windows 64-bit. The Everyone:(F) ACL on the install directory is the root misconfiguration enabling exploitation.
  • ·The web interface password in properties.xml is stored as SHA-1 encoded in Base64 — a weak hashing scheme. Any low-privileged user with write access to the install directory can replace this hash to gain web UI access.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.