본문내용 바로가기 메인메뉴 바로가기 푸터 바로가기

Security Advisory

CVE-2021-26625 | tobesoft Nexacro arbitrary file download vulnerability2022.04.19
□ Overview
 o tobesoft Co.,Ltd released security update to address improper input validation vulnerability in Nexacro platform.(development platform)
Vulnerability
Vulnerability Type Impact Severity CVSS Score CVE ID
Insufficient Verification arbitrary file download
and execute
High 8.8 CVE-2021-26625

□ Description
 o Insufficient Verification of input Data leading to arbitrary file download and execute was discovered in Nexacro platform.
 o This vulnerability is caused by an automatic update function that does not verify input data except version information.
 o Remote attackers can use this incomplete validation logic to download and execute arbitrary malicious file. 

□ Affected Product
Affected Product
Product Version Platform
Nexacro 17 prior of 17.1.2.600 Windows

□ Solution
 o Update software over Nexacro 17 17.1.3.700 version or higher.

□ Reference
 [1] https://www.tobesoft.com/product/Nexacro.do

□ Etc
 o Thanks to Jeongun Baek for reporting this vulnerability.


□ 작성 : 침해사고분석단 취약점분석팀