Unauthenticated Remote Code Execution via Arbitrary File Upload in Visualware MyConnection Server

Unauthenticated Remote Code Execution via Arbitrary File Upload in Visualware MyConnection Server

CVE-2021-27198 · CRITICAL Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

An issue was discovered in Visualware MyConnection Server before v11.1a. Unauthenticated Remote Code Execution can occur via Arbitrary File Upload in the web service when using a myspeed/sf?filename= URI. This application is written in Java and is thus cross-platform. The Windows installation runs as SYSTEM, which means that exploitation gives one Administrator privileges on the target system.

Learn more about our Web App Pen Testing.