CVE-2023-31067
published 2023-09-11CVE-2023-31067: An issue was discovered in TSplus Remote Access through 16.0.2.14. There are Full Control permissions for Everyone on some directories under…
PriorityP263critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
2.88%
85.1th percentile
An issue was discovered in TSplus Remote Access through 16.0.2.14. There are Full Control permissions for Everyone on some directories under %PROGRAMFILES(X86)%\TSplus\Clients\www.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| tsplus | tsplus_remote_access | <= 16.0.2.14 | — |
| tsplus | tsplus_remote_work | <= 16.0.0.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Audit ACLs on TSplus Remote Access installation directories for 'Everyone:(OI)(CI)(F)' or 'Everyone:(F)' permissions, which indicate full write access by any local user. ↗
- →Monitor for unexpected modifications to files under C:\Program Files (x86)\TSplus\Clients\www\ — especially .exe, .js, .html, .dll.config, and .jar files — by non-administrative local users, which may indicate privilege escalation or code injection attempts. ↗
- →Alert on write/modify events to C:\Program Files (x86)\TSplus\Clients\www\software\java\third\jws.js or prototype.js by non-SYSTEM/non-admin accounts, as these are world-writable JS files that could be trojanized. ↗
- →Alert on write/modify events to C:\Program Files (x86)\TSplus\Clients\www\cgi-bin\hb.exe.config or SessionPrelaunch.Common.dll.config by non-admin users, as tampering with these config files could redirect execution or escalate privileges. ↗
- ·CVE-2023-31067 applies exclusively to TSplus Remote Access (up to v16.0.2.14), NOT to the TSplus Remote Work product. Do not conflate with CVE-2023-27133 which covers TSplus Remote Work 16.0.0.0. ↗
- ·The insecure permissions affect the entire C:\Program Files (x86)\TSplus\Clients\www tree and C:\Program Files (x86)\TSplus\UserDesktop\themes tree, not just individual files — any file placed or modified in these directories by a low-privileged user is a potential attack vector. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-m4g4-hvch-vhgf: TSplus Remote Work 16
ghsa_unreviewed·2023-10-17·CVSS 9.8
CVE-2023-27133 [CRITICAL] CWE-276 GHSA-m4g4-hvch-vhgf: TSplus Remote Work 16
TSplus Remote Work 16.0.0.0 has weak permissions for .exe, .js, and .html files under the %PROGRAMFILES(X86)%\TSplus-RemoteWork\Clients\www folder. This may enable privilege escalation if a different local user modifies a file. NOTE: CVE-2023-31067 and CVE-2023-31068 are only about the TSplus Remote Access product, not the TSplus Remote Work product.
GHSA
GHSA-7r8v-7v58-4r7m: An issue was discovered in TSplus Remote Access through 16
ghsa_unreviewed·2023-09-11
CVE-2023-31067 [CRITICAL] CWE-276 GHSA-7r8v-7v58-4r7m: An issue was discovered in TSplus Remote Access through 16
An issue was discovered in TSplus Remote Access through 16.0.2.14. There are Full Control permissions for Everyone on some directories under %PROGRAMFILES(X86)%\TSplus\Clients\www.
No detection rules found.
No writeups or analysis indexed.
2023-09-11
Published