CVE-2021-3003

Vulnerability

Desktop Telematico version 1.0.0 from Agenzia delle Entrate downloads software updates over cleartext HTTP from the domain jws.agenziaentrate.it. The connection does not enforce TLS, so the integrity of the update payload is not cryptographically protected. The official release history shows that version 1.3.0 (dated 09/10/2025) is available, but the version affected by this flaw is 1.0.0 as identified in the discovery [1][2].

Exploitation

An attacker positioned on the same network as the victim (for example, on a public Wi‑Fi or a shared corporate LAN) can perform a man‑in‑the‑middle attack against the HTTP connection. The attacker intercepts the update request from the desktop client and replaces the legitimate update package with a malicious executable. No additional authentication or user interaction beyond the normal update triggering is required, because the client fetches files from the cleartext endpoint without verifying a digital signature or hash [1].

Impact

A successful attack results in remote code execution (RCE) on the victim’s machine with the privileges of the Desktop Telematico application. In practice, an attacker can deliver malware (e.g., a cryptolocker), steal or encrypt sensitive data held by users such as accountants (commercialisti) or tax‑assistance centres (CAF). The impact is amplified because the software is mandatory for certain professional workflows and is often run on networks where multiple users share Wi‑Fi credentials [1].

Mitigation

The vendor was contacted and patched the issue in a release that became available around February 2021. Users should install version 1.3.0 or later from the official site [2]. If upgrading is not possible, users should ensure the software is obtained only from the official download page and verify the file’s SHA‑256 hash provided on the site (though this workaround does not fix the in‑app update channel). The CVE is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog [1][2].