CVE-2024-43592

FAQ

According to the CVSS metric, the attack vector is network (AV:N) and the user interaction is required (UI:R). What is the target context of the remote code execution?

This attack requires an admin user on the client to connect to a malicious server, and that could allow the attacker to gain code execution on the client.

How could an attacker exploit this vulnerability?

An unauthenticated attacker could send a specially crafted protocol message to a Routing and Remote Access Service (RRAS) server, which could lead to remote code execution (RCE) on the RAS server machine.

How could an attacker exploit this vulnerability?

An attacker who successfully exploited this vulnerability could gain remote code execution (RCE) on the victim's machine.

According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

Exploitation of this vulnerability requires a user to remote into a server that is controlled by an attacker, which could then allow the server to execute a command on the user's machine without their consent. This scenario assumes that the user has the ability to remote into the server and that the server has been compromised to execute such commands upon connection.