Arbitrary Code Execution via Deserialization in Ozeki NG SMS Gateway

Arbitrary Code Execution via Deserialization in Ozeki NG SMS Gateway

CVE-2020-14030 · HIGH Severity

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

An issue was discovered in Ozeki NG SMS Gateway through 4.17.6. It stores SMS messages in .NET serialized format on the filesystem. By generating (and writing to the disk) malicious .NET serialized files, an attacker can trick the product into deserializing them, resulting in arbitrary code execution.

Learn more about our Web Application Penetration Testing UK.