CVE-2022-3365

Emote Interactive Remote Mouse Server command injection due to weak encoding

CVSS 9.8 CRITICALEPSS 2.0%CWE-327

Due to reliance on a trivial substitution cipher, sent in cleartext, and the reliance on a default password when the user does not set a password, the Remote Mouse Server by Emote Interactive can be abused by attackers to inject OS commands over theproduct's custom control protocol. A Metasploit module was written and tested against version 4.110, the current version when this CVE was reserved.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

Emote Interactive · Remote Mouse Server

public PoCs found — 1

cve_referencegithub.com/rapid7/metasploit-framework/pull/17067unverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/rapid7/metasploit-framework/pull/17067