Due to reliance on a trivial substitution cipher, sent in cleartext, and the reliance on a default password when the user does not set a password, the Remote Mouse Server by Emote Interactive can be abused by attackers to inject OS commands over theproduct's custom control protocol. A Metasploit module was written and tested against version 4.110, the current version when this CVE was reserved.
The application bases communication on a custom control protocol in which data is secured only by a trivial substitution cipher (CWE-327 – use of weak cryptographic algorithm), and the entire transmission is in plain text. When a user does not set their own password, the server uses a default, publicly known password. An attacker can construct an appropriate payload and inject it into the control protocol, causing arbitrary system commands to be executed on the machine running the server. A Metasploit module was developed and tested for this vulnerability.
An attacker without any privileges and without user interaction can remotely execute arbitrary operating system commands on a device running Remote Mouse Server, resulting in complete loss of confidentiality, integrity, and availability of the system.
Patches available from the vendor should be applied in accordance with the references. As temporary remedial measures, it is recommended to set a strong password in the server configuration, restrict network access to the Remote Mouse Server service (firewall, network segmentation), and disable the server if it is not actively in use.
Remote Mouse Server by Emote Interactive – confirmed for version 4.110 (current at the time of CVE disclosure); earlier versions may also be vulnerable
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H