Missing authorization in Quanos SCHEMA ST4 Client Update Service allows arbitrary file overwrite as SYSTEM

A local authenticated low-privileged user connects to the named pipe `ST4Updater2` and sends `"init"` to obtain a .NET Remoting port [ref_id=1]. The attacker then retrieves the remote object at `tcp://127.0.0.1:<port>/UpdateProcessCore`, creates a zlib-compressed Manifest.rdf and payload file served via HTTP, and invokes the `Update()` method with arguments such as `"Newer"` (to write files as SYSTEM) or `"Remove"` (to delete files/directories) [ref_id=1]. No authentication or authorization check is performed on the named-pipe endpoint, allowing arbitrary file operations with SYSTEM privileges.

The SCHEMA ST4 Update Service runs as NT AUTHORITY\SYSTEM and exposes a .NET Remoting interface over a named pipe (`ST4Updater2`) without sufficient access controls or authentication. The `Update()` method can be invoked by any local low-privileged user, leading to arbitrary file write and delete operations with SYSTEM privileges.

The vendor does not provide a patch but offers a workaround: disable the affected "Client Update Service" [ref_id=1]. Without the service running, the vulnerable .NET Remoting interface is no longer exposed. Updating the client must then be performed manually with a privileged user account. The advisory notes that the cloud/SaaS solution is not affected [ref_id=1].