Cyclope Employee Surveillance Solution versions 6.x are vulnerable to a SQL injection flaw in its login mechanism. The username parameter in the auth-login POST request is not properly sanitized, allowing attackers to inject arbitrary SQL statements. This can be leveraged to write and execute a malicious PHP file on disk, resulting in remote code execution under the SYSTEM user context.
The username parameter in the POST request to the auth-login endpoint is not properly filtered, allowing injection of arbitrary SQL instructions. The attacker can exploit this vulnerability to write a malicious PHP file to the server disk and then call it remotely, thereby achieving remote code execution (RCE). This occurs without the need for any credentials and requires no user interaction. The code is executed in the context of the SYSTEM account, which means the highest privilege level in the Windows environment.
The attacker gains remote code execution (RCE) with SYSTEM privileges, enabling complete takeover of the operating system, including data theft, malware installation, and lateral movement within the network.
Apply patches available from the vendor according to the references. If updating is not possible, consider restricting network access to the web application interface to trusted hosts only and monitor traffic for SQL injection attempts.
Cyclope Employee Surveillance Solution in versions 6.x
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X