SmartSoft SmartBPM.NET Users Beware of Remote Code Execution Vulnerability

CVECVE-2023-37286
CVSScvssV3_1: 9.8
SourceCVE-2023-37286

SmartSoft SmartBPM.NET, a workflow management software, has been found to have a vulnerability that allows remote code execution.

The issue arises due to the use of a hard-coded machine key that can be exploited by attackers to send serialized payloads to the server. This then allows execution of arbitrary code on the server.

As SmartBPM.NET fails to generate a unique machine key, an unauthenticated remote attacker can craft a specially designed request containing a malicious payload. When processed by the server, this payload would get deserialized and executed, enabling the attacker to disrupt services or even take complete control of the affected system.

To stay protected, SmartBPM.NET users should contact SmartSoft and apply any updates released to patch this security flaw. It is also recommended to isolate the SmartBPM.NET server from untrusted networks as much as possible. Regular security audits of the system can help detect any vulnerabilities early. Following basic security practices like keeping software updated and restricting access appropriately can go a long way in guarding against exploitation of such vulnerabilities.

References