CVE-2023-52252

Vulnerability

Unified Remote Server versions up to and including 3.13.0 contain a path traversal vulnerability in the built-in web server component. The web interface, which serves static files for the browser-based remote control panel, does not adequately validate requested file paths. An attacker can craft HTTP requests with directory traversal sequences (e.g., ../) to escape the intended base directory. This allows reading arbitrary files and, more critically, writing arbitrary files to attacker-controlled paths. The write primitive leads to remote code execution via uploading a crafted .zip file containing a malicious remote.lua script that is executed by the server. The vulnerability is exposed on the web upload endpoint, which uses a wildcard Access-Control-Allow-Origin: * header, enabling cross-origin requests from any website to the localhost endpoint. All versions up to and including 3.13.0 are affected, with the vendor releasing fixes in later releases [1][2].

Exploitation

An attacker does not require authentication or prior access to the target system. The vulnerability can be triggered remotely from any network where the Unified Remote web port (typically TCP 9512) is accessible, or via a victim's web browser from an attacker-controlled webpage due to the wildcard CORS policy. The attacker sends a crafted HTTP request containing ../ sequences in the URL path to write a malicious zip archive to the server's upload directory. This zip contains a remote.lua file that, once uploaded, is loaded and executed by the Unified Remote server in the context of the current user. A proof-of-concept exploit script automates generating the malicious payload and hosting a delivery webpage; social engineering may be used to lure victims into visiting this page [1][2].

Impact

Successful exploitation allows an unauthenticated remote attacker to execute arbitrary Lua code on the target system. This gives the attacker the ability to perform any action that the user running the Unified Remote server can do, including reading, modifying, or deleting files, installing malware, and pivoting to other systems on the network. The CVSS 3.1 base score is 9.8 (Critical), with impacts to confidentiality, integrity, and availability all rated as HIGH. No user interaction is necessary for exploitation if the attacker can directly reach the web port; user interaction (visiting a malicious page) is required for the cross-origin attack vector [2].

Mitigation

The vendor has fixed this vulnerability in a later release of Unified Remote Server. Users should upgrade to the latest version available from the official website (https://www.unifiedremote.com/). As a workaround, administrators can restrict network access to the web interface (TCP port 9512) to trusted hosts only, and disable the upload functionality if not required. The vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities catalog [1][2].