Zero-day vulnerability in IPVPN

Arbitrary file upload

The vulnerability allows multiple APT actors to gain access to an unrestricted file upload function and execute arbitrary code on the system.

Vulnerability details

Advisory: SB2021111804 - Arbitrary file upload in FatPipe WARP, MPVPN and IPVPN

Vulnerable component: IPVPN

CVE-ID:

CVSSv3 score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C

CWE-ID: CWE-434 - Unrestricted Upload of File with Dangerous Type

Description:

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to insufficient validation of file during file upload in the web management interface. A remote attacker can upload a malicious file and execute it on the server.

Note, the vulnerability is being actively exploited in the wild.

External links: