CVE-2022-3229

Vulnerability

The Unified Remote web management interface (listening on TCP port 9512 by default) does not require authentication. An unauthenticated remote attacker can connect to this interface and modify the authentication settings for the Unified Remote protocol, effectively disabling any security. This affects Unified Remote version 3.11.0.2483(50) and likely earlier versions [1].

Exploitation

An attacker with network access to the target can connect to the web management interface without credentials. Using a tool such as the Metasploit module unified_remote_rce, the attacker retrieves the server configuration, identifies existing accounts, sends a handshake with empty authentication, and then opens the Start Menu and command prompt. The attacker types and executes a payload (e.g., a reverse shell) via the remote desktop-like functionality [1].

Impact

Successful exploitation allows the attacker to execute arbitrary code on the target system with the privileges of the user running the Unified Remote server. In the demonstrated case, this resulted in a command shell as the logged-in user (n00tmeg) on Windows 11 [1]. The attacker can perform any action that user can, including data exfiltration, installation of malware, or lateral movement.

Mitigation

As of the publication date (2023-02-06), no official patch has been released by Unified Intents. Users should restrict network access to the web management interface (port 9512) to trusted hosts only, or disable the interface if not required. The vendor has not provided a fixed version; the vulnerability remains unpatched [1].