CVE-2022-3365
Published: 28 January 2025
Description
Due to reliance on a trivial substitution cipher, sent in cleartext, and the reliance on a default password when the user does not set a password, the Remote Mouse Server by Emote Interactive can be abused by attackers to inject OS commands over theproduct's custom control protocol. A Metasploit module was written and tested against version 4.110, the current version when this CVE was reserved.
Security Summary
CVE-2022-3365 is a critical vulnerability in the Remote Mouse Server by Emote Interactive, stemming from reliance on a trivial substitution cipher transmitted in cleartext and the use of a default password when users do not configure one. This design flaw enables attackers to inject operating system commands via the product's custom control protocol. The vulnerability was tested against version 4.110, which was the current version at the time the CVE was reserved, and is classified under CWE-327 (Broken or Risky Cryptographic Algorithm) with a CVSS v3.1 base score of 9.8.
The attack requires no privileges or user interaction, allowing remote attackers to exploit it over the network with low complexity (AV:N/AC:L/PR:N/UI:N/S:U). Successful exploitation grants high-impact access to execute arbitrary OS commands on the affected system, compromising confidentiality, integrity, and availability (C:H/I:H/A:H).
The primary reference is a GitHub pull request for a Metasploit module (https://github.com/rapid7/metasploit-framework/pull/17067), which implements and tests an exploit against version 4.110. No vendor advisories or patches are detailed in the provided information.
Details
- CWE(s)