CVE-2021-27406
PerFact OpenVPN-Client
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
An attacker can take leverage on PerFact OpenVPN-Client versions 1.4.1.0 and prior to send the config command from any application running on the local host machine to force the back-end server into initializing a new open-VPN instance with arbitrary open-VPN configuration. This could result in the attacker achieving execution with privileges of a SYSTEM user.
Un atacante puede aprovechar PerFact OpenVPN-Client versiones 1.4.1.0 y anteriores, para enviar el comando config desde cualquier aplicación que sea ejecutada en el equipo anfitrión local para forzar al servidor back-end a inicializar una nueva instancia de Open-VPN con una configuración arbitraria de Open-VPN. Esto podría resultar en que el atacante logre una ejecución con privilegios de un usuario SYSTEM
CVSS Scores
SSVC
- Decision:-
Timeline
- 2021-02-19 CVE Reserved
- 2022-10-14 CVE Published
- 2024-05-06 EPSS Updated
- 2024-08-03 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-15: External Control of System or Configuration Setting
- CWE-610: Externally Controlled Reference to a Resource in Another Sphere
CAPEC
References (1)
| URL | Tag | Source |
|---|---|---|
| https://www.cisa.gov/uscert/ics/advisories/icsa-21-056-01 | Third Party Advisory |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Perfact Search vendor "Perfact" | Openvpn-client Search vendor "Perfact" for product "Openvpn-client" | <= 1.4.1.0 Search vendor "Perfact" for product "Openvpn-client" and version " <= 1.4.1.0" | - |
Affected
| ||||||