CVE-2023-25261
Description
Remote Code Execution in Stimulsoft Designer and Viewer 2023.1.3/2023.1.4 via .mrt reports with unrestricted file system access, allowing arbitrary file read/write.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Remote Code Execution in Stimulsoft Designer and Viewer 2023.1.3/2023.1.4 via .mrt reports with unrestricted file system access, allowing arbitrary file read/write.
Vulnerability
Stimulsoft Designer (Desktop) 2023.1.4, Stimulsoft Designer (Web) 2023.1.3, and Stimulsoft Viewer (Web) 2023.1.3 are affected by remote code execution through .mrt report files. These files allow inclusion of C# source code, and while some libraries like System.Net.HTTPClient are restricted, access to the local file system is not prohibited. This means an attacker can include source code that reads or writes local directories and files [2].
Exploitation
No authentication is required if the viewer or designer is embedded in a page without authentication. An attacker can prepare a malicious .mrt file containing C# code that performs file system operations. The file must be opened or rendered by a victim. The exploit requires user interaction (opening the file), but no special privileges [2].
Impact
Successful exploitation allows an attacker to read or write arbitrary files on the local file system, leading to remote code execution. The CVSS score is 10.0 (Critical) with network attack vector, low complexity, no privileges required, and scope change [2].
Mitigation
Stimulsoft released a fix in version 2023.2.1. Users should upgrade to this version or later. No workarounds are documented [2].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
4- Stimulsoft GmbH/Stimulsoft Designerdescription
- Range: == 2023.1.4
- Range: == 2023.1.3
- Range: == 2023.1.3
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The .mrt report files allow embedded C# source code, and the application does not restrict access to the local file system, enabling arbitrary file read/write and remote code execution."
Attack vector
An attacker crafts a malicious .mrt report file containing embedded C# source code that reads or writes local directories and files [ref_id=1]. The attacker delivers this report to a victim using Stimulsoft Designer (Desktop) 2023.1.4, Stimulsoft Designer (Web) 2023.1.3, or Stimulsoft Viewer (Web) 2023.1.3 [ref_id=1]. No authentication is required if the viewer or designer is embedded in a page lacking authentication [ref_id=1]. The report can also include a variable that holds gathered data and renders it in the report output [ref_id=1].
Affected code
The vulnerability exists in the .mrt report file processing logic of Stimulsoft Designer (Desktop) 2023.1.4, Stimulsoft Designer (Web) 2023.1.3, and Stimulsoft Viewer (Web) 2023.1.3 [ref_id=1]. The application allows embedded C# source code in .mrt files but only restricts certain libraries (e.g., System.Net.HTTPClient, System.Net.Sockets) while leaving local file system access completely unrestricted [ref_id=1].
What the fix does
The advisory states the fixed version is 2023.2.1 [ref_id=1]. No patch diff is provided in the bundle, so the exact code changes are unknown. The fix presumably adds restrictions on file system access from embedded C# code in .mrt report files, closing the gap where calls to System.Net.HTTPClient and System.Net.Sockets were blocked but local file system access was not [ref_id=1].
Preconditions
- inputAttacker must deliver a crafted .mrt report file with embedded C# source code to the victim.
- authNo authentication required if the viewer or designer is embedded in a page lacking authentication.
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.