CVE-2018-19234
Description
The Miss Marple Updater Service in COMPAREX Miss Marple Enterprise Edition before 2.0 allows remote attackers to execute arbitrary code with SYSTEM privileges via vectors related to missing update validation.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Miss Marple Enterprise Edition update service lacks validation, allowing arbitrary code execution as SYSTEM via crafted updates or hardcoded AES key.
Vulnerability
The Miss Marple Updater Service in COMPAREX Miss Marple Enterprise Edition before version 2.0 does not validate update packages, enabling an attacker to supply a malicious update. Additionally, the application uses a hardcoded AES-256 key and initialization vector to encrypt credentials, which can be extracted to decrypt the password for a remote server [1]. This allows an attacker to upload arbitrary files to the server, including a replacement update package. Affected versions are all builds prior to 2.0 [1][2].
Exploitation
An attacker with network access to the update service can craft a malicious update package and deliver it to the agent. Alternatively, by decompiling the agent binary to obtain the hardcoded AES key and IV, the attacker can decrypt credentials used for file uploads [1]. The attacker can then upload a tampered update to the server, which is subsequently distributed to all agents that install updates from that server [1]. No authentication is required to interact with the update service, and user interaction is not needed for the update installation [1][2].
Impact
Successful exploitation allows remote code execution with SYSTEM privileges on the target machine. The attacker gains full control over the affected system, including the ability to install programs, view/change/delete data, or create new accounts with full user rights [1][2].
Mitigation
COMPAREX released a patch in version 2.0 that addresses this vulnerability. Users should upgrade to the latest version immediately [1]. No workaround is available for unpatched versions. The vendor has not listed this CVE in CISA's Known Exploited Vulnerabilities catalog at the time of writing.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <2.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The Miss Marple Updater Service downloads and executes binaries from a server directory without any cryptographic or integrity validation."
Attack vector
An attacker first exploits one of the arbitrary-file-upload methods (CVE-2018-19233 or the binary-patching/curl techniques described in the advisory) to place a malicious binary into the update directory on the server [ref_id=1]. The Miss Marple Updater Service, running on every client, periodically checks this directory for new versions and downloads any file it finds there. Because the service performs no validation on the downloaded binary, it executes the attacker-supplied file with NT Authority\SYSTEM privileges, achieving remote code execution on all client machines [ref_id=1].
Affected code
The advisory identifies the Miss Marple Updater Service as the vulnerable component. No specific function or file paths are named in the write-up; the service runs on all clients and checks for new versions on the same server used by the Miss Marple Inventory Agent.
What the fix does
The advisory states that the vendor fixed all identified issues in version 2.0 of Miss Marple Enterprise Edition [ref_id=1]. No patch diff is available in the bundle, but the remediation guidance is to upgrade to version 2.0 immediately. The fix presumably adds integrity validation (e.g., code signing or checksum verification) to the updater's download-and-execute routine so that only trusted binaries are installed.
Preconditions
- inputThe attacker must be able to write files to the server's update directory (achievable via the companion arbitrary-file-upload vulnerabilities described in the same advisory).
- configThe Miss Marple Updater Service must be running on target client machines.
- networkThe attacker must have network access to the server or be able to reach it through the upload vectors.
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- packetstormsecurity.com/files/150427/Miss-Marple-Enterprise-Edition-File-Upload-Hardcoded-AES-Key.htmlmitrex_refsource_MISC
- seclists.org/fulldisclosure/2018/Nov/55mitremailing-listx_refsource_FULLDISC
- seclists.org/bugtraq/2018/Nov/37mitremailing-listx_refsource_BUGTRAQ
- www.sec-consult.com/en/blog/advisories/multiple-critical-vulnerabilities-in-miss-marple-enterprise-edition/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.