Privilege Escalation via Auto-Update Feature in Mirasys VMS

Privilege Escalation via Auto-Update Feature in Mirasys VMS

CVE-2019-11031 · HIGH Severity

AV:N/AC:L/AU:N/C:C/I:C/A:C

Mirasys VMS before V7.6.1 and 8.x before V8.3.2 mishandles the auto-update feature of IDVRUpdateService2 in DVRServer.exe. An attacker can upload files with a Setup-Files action, and then execute these files with SYSTEM privileges.

Learn more about our Cis Benchmark Audit For Server Software.