CVE-2018-5354
Description
The custom GINA/CP module in ANIXIS Password Reset Client before version 3.22 allows remote attackers to execute code and escalate privileges via spoofing. When the client is configured to use HTTP, it does not authenticate the intended server before opening a browser window. An unauthenticated attacker capable of conducting a spoofing attack can redirect the browser to gain execution in the context of the WinLogon.exe process. If Network Level Authentication is not enforced, the vulnerability can be exploited via RDP.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
ANIXIS Password Reset Client before 3.22 allows remote code execution and privilege escalation via HTTP spoofing, redirecting the WinLogon browser to an attacker's server.
Vulnerability
The custom GINA/CP module in ANIXIS Password Reset Client before version 3.22 fails to authenticate the intended server when configured to use HTTP, allowing an unauthenticated attacker to redirect the embedded browser to a malicious host [1]. This affects all versions prior to 3.22 when the client uses HTTP rather than HTTPS [1].
Exploitation
An unauthenticated attacker must be on the same network as the target (e.g., via ARP spoofing or physical access) and run a web server serving a file named pwreset. If Network Level Authentication (NLA) is not enforced, the attacker can RDP to the target system; otherwise physical access is required. The attacker clicks the "Reset Password" link on the logon screen, causing the built-in browser to load the attacker's server and open a file download dialog. By saving the file and using Shift+Right-Click > "Open command window here", the attacker can execute arbitrary commands in the context of WinLogon.exe [1].
Impact
Successful exploitation grants the attacker code execution as WinLogon.exe, leading to full system compromise and privilege escalation to SYSTEM [1]. The attacker can then execute arbitrary commands, install malware, or exfiltrate data [1].
Mitigation
Update to ANIXIS Password Reset Client version 3.22 (released January 29, 2018) or later [1]. Additionally, configure the server and client to use HTTPS with a valid certificate to prevent spoofing [1]. If the client cannot be upgraded, enforce Network Level Authentication (NLA) for RDP connections to reduce the attack surface [1]. The vendor (now part of Netwrix) provides updated versions through their support portal [2].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- ANIXIS/Password Reset Clientdescription
- Range: <3.22
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The custom GINA/CP module does not authenticate the intended server before opening a browser window when HTTP is used, allowing an attacker to spoof the server and redirect the browser."
Attack vector
An unauthenticated attacker conducts a spoofing attack (e.g., ARP spoofing) to redirect traffic intended for the legitimate password reset server to an attacker-controlled host [ref_id=1]. The attacker runs a web server serving a binary file named "pwreset". When a user clicks "Reset Password" on the Windows logon screen, the built-in client browser connects to the attacker's server and opens a File Download dialog. The attacker then leverages the File Explorer dialog (via Save) and Shift+Right-Click > "Open command window here" to achieve code execution in the context of the WinLogon.exe process, escalating privileges [ref_id=1]. If Network Level Authentication (NLA) is not enforced, the attack can be triggered remotely via RDP; otherwise, physical access is required [ref_id=1].
Affected code
The custom GINA/CP module in ANIXIS Password Reset Client before version 3.22 is the affected component [ref_id=1]. No specific function names or file paths are provided in the advisory.
What the fix does
The vulnerability was fixed in ANIXIS Password Reset Client version 3.22 (released January 29, 2018) [ref_id=1]. The advisory recommends updating all affected clients to version 3.22 and additionally ensuring that the server and client are configured to use HTTPS with a valid certificate [ref_id=1]. The patch itself is not included in the bundle, but the remediation guidance indicates that enforcing server authentication (via HTTPS certificate validation) closes the spoofing vector that allowed the unauthenticated redirect.
Preconditions
- networkAttacker must be able to conduct a spoofing attack (e.g., ARP spoofing) to redirect traffic from the legitimate password reset server to an attacker-controlled host.
- configThe ANIXIS Password Reset Client must be configured to use HTTP rather than HTTPS.
- inputA user must click the 'Reset Password' link or tile on the Windows logon screen.
- authIf Network Level Authentication (NLA) is enforced, the attacker requires physical access to the target host; otherwise, RDP access is sufficient.
Reproduction
1. Conduct a spoofing attack (e.g., ARP spoofing) to redirect traffic intended for the legitimate password reset server to an attacker-controlled host. 2. Run a web server on the attacking host serving a binary junk file named "pwreset". 3. RDP to the target host (if NLA is not enforced; otherwise, physical access is required). 4. Click the "Reset Password" link or tile on the logon screen. 5. When the built-in client browser opens a File Download dialog, click Save to open a File Explorer dialog. 6. Shift+Right-Click and select "Open command window here" to gain code execution in the context of WinLogon.exe [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- anixis.commitrex_refsource_MISC
News mentions
0No linked articles in our index yet.