Insecure Deserialization Vulnerability in Mirasys VMS
CVE-2019-11030 · HIGH Severity
AV:N/AC:L/AU:N/C:C/I:C/A:C
Mirasys VMS before V7.6.1 and 8.x before V8.3.2 mishandles the Mirasys.Common.Utils.Security.DataCrypt method in Common.dll in AuditTrailService in SMServer.exe. This method triggers insecure deserialization within the .NET garbage collector, in which a gadget (contained in a serialized object) may be executed with SYSTEM privileges. The attacker must properly encrypt the object; however, the hardcoded keys are available.
Learn more about our Cis Benchmark Audit For Server Software.