nGrinder before 3.5.9 allows to accept serialized Java objects from unauthenticated users, which could allow remote attacker to execute arbitrary code via unsafe Java objects deserialization.
The nGrinder application deserializes Java objects transmitted over the network without prior verification of the sender's identity. An attacker can prepare a malicious payload containing an unsafe Java object and send it directly to the vulnerable endpoint. During the deserialization process, the application executes code contained in the object, leading to the execution of arbitrary commands on the server (RCE).
An unauthenticated attacker can remotely execute arbitrary code on the server, which in practice means complete takeover of the system, including the ability to read and modify data and perform lateral movement across the network.
Naver nGrinder should be immediately updated to version 3.5.9 or newer. According to vendor references, a patch eliminating the vulnerability is available. Until the update is applied, it is recommended to restrict network access to nGrinder instances only to trusted IP addresses at the firewall level.
Naver nGrinder in all versions prior to 3.5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HNaver Ngrinder
APPNaver< 3.5.9
Related vulnerabilities
Naver nGrinder — RCE przez złośliwy serwer JMX/RMI
RCE w Naver nGrinder — niebezpieczna deserializacja przez SnakeYAML
nGrinder before 3.5.9 allows an attacker to create or update webhook configuration due to lack of access contr...
nGrinder before 3.5.9 allows an attacker to obtain the results of webhook requests due to lack of access contr...
Multiple cross-site scripting (XSS) vulnerabilities in nGrinder before 3.4 allow remote attackers to inject ar...