Insecure Deserialization Vulnerability in Mirasys VMS

Insecure Deserialization Vulnerability in Mirasys VMS

CVE-2019-11030 · HIGH Severity

AV:N/AC:L/AU:N/C:C/I:C/A:C

Mirasys VMS before V7.6.1 and 8.x before V8.3.2 mishandles the Mirasys.Common.Utils.Security.DataCrypt method in Common.dll in AuditTrailService in SMServer.exe. This method triggers insecure deserialization within the .NET garbage collector, in which a gadget (contained in a serialized object) may be executed with SYSTEM privileges. The attacker must properly encrypt the object; however, the hardcoded keys are available.

Learn more about our Cis Benchmark Audit For Server Software.