cbcvebase.
CVE-2023-31068
published 2023-09-11

CVE-2023-31068: An issue was discovered in TSplus Remote Access through 16.0.2.14. There are Full Control permissions for Everyone on some directories under…

PriorityP263critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
2.85%
84.9th percentile
An issue was discovered in TSplus Remote Access through 16.0.2.14. There are Full Control permissions for Everyone on some directories under %PROGRAMFILES(X86)%\TSplus\UserDesktop\themes.

Affected

1 ranges
VendorProductVersion rangeFixed in
tsplustsplus_remote_work<= 16.0.0.0

Detection & IOCsextracted from sources · hover to see the quote

pathC:\Program Files (x86)\TSplus-RemoteWork\Clients\www
pathC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\download\Setup-RemoteWork-Client.exe
pathC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\cgi-bin\hb.exe.config
pathC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\cgi-bin\SessionPrelaunch.Common.dll.config
pathC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\cgi-bin\remoteapp\index.html
pathC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\download\common.js
pathC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\download\lang.js
filenameSetup-RemoteWork-Client.exe
  • Audit ACLs on the TSplus-RemoteWork www directory tree for 'Everyone:(OI)(CI)(F)' or 'Everyone:(F)' permissions, which indicate the insecure configuration exploitable for privilege escalation.
  • Monitor for unexpected writes or modifications to Setup-RemoteWork-Client.exe under the TSplus www\download folder by non-administrative users, as this is a primary trojanization target.
  • Alert on file integrity changes to .html and .js files under C:\Program Files (x86)\TSplus-RemoteWork\Clients\www by non-SYSTEM/non-admin accounts, as these are world-writable and can be used to inject malicious code.
  • ·Despite the exploit PoC being tagged CVE-2023-31068, the NVD entry for that CVE number actually describes TSplus Remote Work 16.0.0.0 insecure permissions — the same vulnerability. The NVD page retrieved is for CVE-2023-27133, suggesting a possible mis-mapping; analysts should verify the correct CVE assignment before using this intel in tracking systems.
  • ·The vulnerable version ceiling is 16.0.0.0; installations beyond this version should be independently verified for the same ACL misconfiguration before assuming they are unaffected.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.