CVE-2020-15261
moderate-risk
Published 2020-10-19
On Windows the Veyon Service before version 4.4.2 contains an unquoted service path vulnerability, allowing locally authenticated users with administrative privileges to run malicious executables with LocalSystem privileges. Since Veyon users (both students and teachers) usually don't have administrative privileges, this vulnerability is only dangerous in anyway unsafe setups. The problem has been fixed in version 4.4.2. As a workaround, the exploitation of the vulnerability can be prevented by revoking administrative privileges from all potentially untrustworthy users.
Do I need to act?
~
8.1% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
!
1 public exploit available
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.0/10
High
NETWORK
/ HIGH complexity
Affected Products (1)
Veyon
Affected Vendors
References (12)
Issue Tracking
https://github.com/veyon/veyon/issues/657
Third Party Advisory
https://github.com/veyon/veyon/security/advisories/GHSA-c8cc-x786-hqqp
Issue Tracking
https://github.com/veyon/veyon/issues/657
Third Party Advisory
https://github.com/veyon/veyon/security/advisories/GHSA-c8cc-x786-hqqp
39
/ 100
moderate-risk
Severity
24/34 · High
Exploitability
10/34 · Low
Exposure
5/34 · Minimal