cbcvebase.
CVE-2023-31067
published 2023-09-11

CVE-2023-31067: An issue was discovered in TSplus Remote Access through 16.0.2.14. There are Full Control permissions for Everyone on some directories under…

PriorityP263critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
2.88%
85.1th percentile
An issue was discovered in TSplus Remote Access through 16.0.2.14. There are Full Control permissions for Everyone on some directories under %PROGRAMFILES(X86)%\TSplus\Clients\www.

Affected

2 ranges
VendorProductVersion rangeFixed in
tsplustsplus_remote_access<= 16.0.2.14
tsplustsplus_remote_work<= 16.0.0.0

Detection & IOCsextracted from sources · hover to see the quote

pathC:\Program Files (x86)\TSplus\Clients\www
pathC:\Program Files (x86)\TSplus\Clients\www\addons\Setup-VirtualPrinter-Client.exe
pathC:\Program Files (x86)\TSplus\Clients\www\cgi-bin\hb.exe.config
pathC:\Program Files (x86)\TSplus\Clients\www\cgi-bin\SessionPrelaunch.Common.dll.config
pathC:\Program Files (x86)\TSplus\Clients\www\cgi-bin\remoteapp\index.html
pathC:\Program Files (x86)\TSplus\Clients\www\RemoteAppClient\index.html
pathC:\Program Files (x86)\TSplus\UserDesktop\themes
filenameSetup-VirtualPrinter-Client.exe
  • Audit ACLs on TSplus Remote Access installation directories for 'Everyone:(OI)(CI)(F)' or 'Everyone:(F)' permissions, which indicate full write access by any local user.
  • Monitor for unexpected modifications to files under C:\Program Files (x86)\TSplus\Clients\www\ — especially .exe, .js, .html, .dll.config, and .jar files — by non-administrative local users, which may indicate privilege escalation or code injection attempts.
  • Alert on write/modify events to C:\Program Files (x86)\TSplus\Clients\www\software\java\third\jws.js or prototype.js by non-SYSTEM/non-admin accounts, as these are world-writable JS files that could be trojanized.
  • Alert on write/modify events to C:\Program Files (x86)\TSplus\Clients\www\cgi-bin\hb.exe.config or SessionPrelaunch.Common.dll.config by non-admin users, as tampering with these config files could redirect execution or escalate privileges.
  • ·CVE-2023-31067 applies exclusively to TSplus Remote Access (up to v16.0.2.14), NOT to the TSplus Remote Work product. Do not conflate with CVE-2023-27133 which covers TSplus Remote Work 16.0.0.0.
  • ·The insecure permissions affect the entire C:\Program Files (x86)\TSplus\Clients\www tree and C:\Program Files (x86)\TSplus\UserDesktop\themes tree, not just individual files — any file placed or modified in these directories by a low-privileged user is a potential attack vector.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.