Inosoft has an update available to handle an incorrect default permissions vulnerability in its VisiWin, according to a report with CISA.

Successful exploitation of this vulnerability, discovered by CISA which found a PoC (Proof of concept) as authored by Carlo Di Dato, could allow an attacker to gain SYSTEM privileges.
The following Inosoft products suffer from the issue: VisiWin 7, all versions prior to version 2024-1.

In the vulnerability, VisiWin creates a directory with insufficient permissions, allowing a low-level user the ability to add and modify certain files that hold SYSTEM privileges, which could lead to privilege escalation.

CVE-2023-31468 is the case number for this vulnerability, which has a CVSS v3.1 base score of 7.8. There is also a CVSS v4 base score of 8.5.

The product sees use mainly in the critical manufacturing sector, and on a global basis.

Schneider Bold

No known exploits target this vulnerability. However, an attacker could easily leverage this low complexity vulnerability.

Germany-based Inosoft recommends users to update to VisiWin version 2024-1.

For more information, click on VisiWin’s support page.

 

ISSSource

Pin It on Pinterest

Share This