CVE-2021-21911

Vulnerability

Advantech R-SeeNet versions up to and including 2.4.15 (30.07.2021) on Windows installs to C:\R-SeeNet with insecure default permissions. The SnmpMonSvs service binary (C:\R-SeeNet\R_SeeNet.exe) allows the "Authenticated Users" group to have "Full/Change" (modify) privileges [1]. This service runs with NT SYSTEM authority. The vulnerability is tracked as CWE-276 (Incorrect Default Permissions) [1].

Exploitation

An attacker needs valid local Windows credentials (any Authenticated User). With write access to the service binary, the attacker replaces the legitimate executable with a malicious one. The service must then be restarted (either by waiting for a system reboot or by triggering a restart if the attacker has the necessary permissions or user interaction) [1]. No additional authentication or network access is required beyond local logon.

Impact

Upon successful exploitation, the attacker achieves privilege escalation to NT SYSTEM authority, the highest level on Windows. This grants full control over the system, including the ability to read/modify all files, install software, create accounts, and compromise confidentiality, integrity, and availability [1].

Mitigation

Advantech has not released a public patch as of the publication date. As a workaround, administrators should manually restrict permissions on C:\R-SeeNet\R_SeeNet.exe to only authorized users (e.g., Administrators and SYSTEM), removing access for the "Authenticated Users" group. Users should monitor vendor advisories for a future update [1].