CVE-2020-16087

Vulnerability

An issue was discovered in Zalo.exe in VNG Zalo Desktop version 19.8.1.0. The vulnerability allows an attacker to run arbitrary commands on a remote Windows machine running the Zalo client by sending the user a crafted file [1]. The exact component and file format are not detailed in the available reference, but the attack vector is through file transfer within the application.

Exploitation

An attacker sends a specially crafted file to a Zalo Desktop user. The user must open or interact with the file within the Zalo client for the exploit to trigger. No authentication or special network position is required beyond being able to send a file through Zalo. The reference does not provide a detailed sequence of steps.

Impact

Successful exploitation allows the attacker to execute arbitrary commands on the victim's Windows machine. The attacker gains code execution at the privilege level of the Zalo Desktop process, which may allow full compromise of the system.

Mitigation

As of the publication date (2020-08-13), no patch or fixed version has been disclosed in the available references. Users should be cautious when opening files from untrusted contacts. The vendor has not announced a mitigation or workaround [1].