Description Summary:
An unauthenticated file access vulnerability in webERP 4.15.1 allows remote attackers to download database backup files directly from the web directory.

Executive Summary:
webERP 4.15.1 is vulnerable to a critical data exposure flaw that allows unauthenticated attackers to download entire database backups, compromising all corporate financial and operational data.

Vulnerability Details

CVE-ID: CVE-2020-37082

Affected Software: webERP

Affected Versions: 4.15.1

Vulnerability: The application stores database backups in a predictable web-accessible directory (companies/weberp/) without proper access controls. An unauthenticated attacker can download these files by guessing or discovering the timestamp-based filename.

Business Impact

With a CVSS score of 9.8, this vulnerability represents a total loss of confidentiality. Since webERP manages sensitive business data, including financials, customer lists, and inventory, the exposure of a full SQL backup allows an attacker to replicate the entire business database offline for malicious use.

Remediation Plan

Immediate Action: Update webERP to the latest version and move all backup directories outside of the web server's document root immediately.

Proactive Monitoring: Check web server access logs for requests to the companies/weberp/ directory and any files ending in .sql.gz.

Compensating Controls: Use .htaccess or server configuration files to deny all web access to the backup directories and implement strong authentication for any directory containing sensitive exports.

Exploitation Status

Public Exploit Available: false

Analyst Notes: As of Feb 3, 2026, there is no public information indicating active exploitation. However, the predictable nature of the backup filenames makes this a trivial vulnerability to exploit once the directory structure is known.

Analyst Recommendation

Immediate isolation of backup files is required. Administrators must ensure that no sensitive data, especially database backups, is ever stored in a location reachable by a web browser without robust authentication and authorization checks.

Description Summary:
LanSend 3.2 contains a buffer overflow in its file import functionality, allowing remote attackers to execute arbitrary code through a crafted payload file that triggers an SEH overwrite.

Executive Summary:
LanSend 3.2 is susceptible to a critical buffer overflow vulnerability that enables Remote Code Execution (RCE) when a malicious file is processed during a computer import operation.

Vulnerability Details

CVE-ID: CVE-2020-37075

Affected Software: LanSend

Affected Versions: 3.2

Vulnerability: The vulnerability is located in the "Add Computers Wizard" file import feature. An attacker can craft a malicious file that, when imported by a user, overwrites the Structured Exception Handler (SEH) and executes arbitrary shellcode on the system.

Business Impact

The CVSS score of 9.8 indicates a critical risk level. Successful exploitation allows an attacker to take complete control of the local system. In a corporate environment, this could lead to the compromise of administrative accounts and subsequent lateral movement across the network, as LanSend is typically used for network administration.

Remediation Plan

Immediate Action: Update LanSend to the latest version immediately. Discontinue the use of the file import feature until the software has been patched.

Proactive Monitoring: Review endpoint security logs for any suspicious activity triggered by the LanSend process, particularly during administrative tasks.

Compensating Controls: Utilize application whitelisting and ensure that administrative tools are run in a restricted environment with limited privileges whenever possible.

Exploitation Status

Public Exploit Available: false

Analyst Notes: As of Feb 3, 2026, there is no public information indicating active exploitation. Like CVE-2020-37074, this is a client-side vulnerability that relies on user interaction with a malicious file.

Analyst Recommendation

The most effective mitigation is applying the vendor's patch. Organizations should also enforce strict policies regarding the source of administrative data files and consider using sandboxed environments for performing bulk import operations to contain potential exploits.

Description Summary:
Remote Desktop Audit 2.3.0.157 is vulnerable to a buffer overflow during the file import process, allowing attackers to execute arbitrary code via a malicious payload file.

Executive Summary:
A critical buffer overflow in Remote Desktop Audit allows attackers to achieve Remote Code Execution (RCE) by tricking a user into importing a malicious computer list file.

Vulnerability Details

CVE-ID: CVE-2020-37074

Affected Software: Remote Desktop Audit

Affected Versions: 2.3.0.157

Vulnerability: The "Add Computers Wizard" fails to properly handle large or malformed inputs when importing files. By crafting a malicious file, an attacker can trigger a buffer overflow and bypass Structured Exception Handling (SEH) to execute arbitrary shellcode.

Business Impact

With a CVSS score of 9.8, this flaw represents a significant threat to administrative workstations. An attacker can gain full control over the machine used to manage remote desktop connections, potentially compromising the credentials and access to the entire server fleet managed through the software.

Remediation Plan

Immediate Action: Update Remote Desktop Audit to the latest available version and refrain from importing computer lists from untrusted or unknown sources.

Proactive Monitoring: Monitor administrative workstations for unusual process spawning (e.g., cmd.exe or powershell.exe) originating from the Remote Desktop Audit application.

Compensating Controls: Enable advanced exploit protection features like Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) at the OS level to mitigate buffer overflow impacts.

Exploitation Status

Public Exploit Available: false

Analyst Notes: As of Feb 3, 2026, there is no public information indicating active exploitation. This vulnerability requires a user to perform an action (importing a file), which categorizes it as a client-side attack vector.

Analyst Recommendation

Apply the software update immediately to resolve the underlying memory handling issue. Furthermore, security awareness training should emphasize the danger of importing configuration files from untrusted sources, as this is a common vector for targeting IT administrators.

Description Summary:
A buffer overflow vulnerability in CloudMe 1.11.2 allows unauthenticated remote attackers to execute arbitrary code by sending crafted packets to port 8888.

Executive Summary:
CloudMe 1.11.2 contains a critical buffer overflow vulnerability that allows unauthenticated remote code execution, posing a severe risk of complete system takeover.

Vulnerability Details

CVE-ID: CVE-2020-37070

Affected Software: CloudMe

Affected Versions: 1.11.2

Vulnerability: A buffer overflow exists in the way the CloudMe service processes incoming network packets on port 8888. An unauthenticated attacker can send a specially crafted payload to overflow the buffer and gain control of the execution flow.

Business Impact

The CVSS score of 9.8 highlights the extreme risk of Remote Code Execution (RCE). Successful exploitation allows an attacker to run arbitrary commands on the host system with the privileges of the CloudMe service, leading to data theft, ransomware deployment, or use of the system as a pivot point for further network attacks.

Remediation Plan

Immediate Action: Update CloudMe to the latest version that includes the fix for this buffer overflow and close port 8888 to the public internet.

Proactive Monitoring: Monitor network traffic for unusual or oversized packets directed at port 8888 and audit system processes for unauthorized activity.

Compensating Controls: Implement an Intrusion Prevention System (IPS) to detect and block buffer overflow signatures and use host-based security tools to monitor for suspicious execution patterns.

Exploitation Status

Public Exploit Available: false

Analyst Notes: As of Feb 3, 2026, there is no public information indicating active exploitation. However, buffer overflows in network-facing services are classic targets for high-impact exploits.

Analyst Recommendation

The primary remediation is to apply the vendor's security patch immediately. If an update is not possible, the CloudMe service should be disabled or strictly firewalled to prevent any untrusted network communication with the vulnerable port.

Description Summary:
Filetto 1.0 FTP server contains a denial of service (DoS) vulnerability in the FEAT command processing. Sending an oversized command causes a buffer overflow and service crash.

Executive Summary:
A critical buffer overflow vulnerability in the Filetto FTP Server allows unauthenticated attackers to remotely crash the service, resulting in a persistent denial of service.

Vulnerability Details

CVE-ID: CVE-2020-37067

Affected Software: Filetto FTP Server

Affected Versions: Version 1.0

Vulnerability: The vulnerability occurs during the processing of the FTP "FEAT" command. An unauthenticated attacker can send a specially crafted FEAT command containing 11,008 bytes of repeated characters, which triggers a buffer overflow and causes the FTP service to terminate unexpectedly.

Business Impact

Successful exploitation results in the immediate unavailability of the FTP service, disrupting file transfer operations and potentially impacting business workflows that rely on the server. While primarily a Denial of Service, the CVSS score of 9.8 suggests that the underlying memory corruption could potentially be leveraged for more advanced exploitation.

Remediation Plan

Immediate Action: Update Filetto FTP Server to the latest version or migrate to a more robust and regularly maintained FTP solution such as FileZilla Server or an SFTP-based alternative.

Proactive Monitoring: Configure automated alerts to notify administrators if the FTP service stops unexpectedly and monitor network traffic for unusually large FTP command strings.

Compensating Controls: Implement an Intrusion Prevention System (IPS) with signatures designed to detect and drop oversized or malformed FTP commands, specifically targeting the FEAT verb.

Exploitation Status

Public Exploit Available: No

Analyst Notes: As of Feb 3, 2026, there is no public information indicating active exploitation of this vulnerability. DoS vulnerabilities in FTP servers are frequently used as a precursor to broader attacks or to disrupt defensive operations.

Analyst Recommendation

The Filetto FTP Server version 1.0 is highly susceptible to remote disruption. Given the age of the software and the criticality of the flaw, it is recommended to replace this software with a modern, secure alternative that supports encrypted transfers and has a proven track record of security patching.

Description Summary:
GoldWave 5.70 is vulnerable to a stack-based buffer overflow in the File Open URL dialog. Attackers can use Unicode-encoded shellcode in a text file to execute commands upon opening.

Executive Summary:
A critical stack-based buffer overflow in GoldWave 5.70 enables attackers to execute arbitrary code on a user's system by tricking them into opening a specially crafted URL or file.

Vulnerability Details

CVE-ID: CVE-2020-37066

Affected Software: GoldWave

Affected Versions: Version 5.70

Vulnerability: The vulnerability exists in the "File Open URL" dialog handler. By crafting a malicious text file containing Unicode-encoded shellcode and a long string, an attacker can trigger a stack-based overflow when the user attempts to open the malicious input, leading to arbitrary command execution.

Business Impact

Successful exploitation results in arbitrary code execution with the privileges of the logged-in user. This could lead to unauthorized access to sensitive files, credential theft, and the establishment of a persistent presence on the corporate network. The CVSS score of 9.8 underscores the high severity of this remote exploitation vector.

Remediation Plan

Immediate Action: Update GoldWave to the latest version immediately. Users should be cautioned against opening suspicious URLs or files from untrusted sources within the application.

Proactive Monitoring: Review system logs for suspicious child processes spawned by GoldWave.exe and monitor for unauthorized network activity following file-open operations.

Compensating Controls: Utilize application whitelisting and ensure that "Open URL" features are restricted or monitored by host-based security software.

Exploitation Status

Public Exploit Available: No

Analyst Notes: As of Feb 3, 2026, there is no public information indicating active exploitation of this vulnerability. However, the requirement for user interaction (opening a file/URL) is a common social engineering tactic used in targeted attacks.

Analyst Recommendation

The ability to execute code via a standard file-open dialog is a critical security failure. Organizations must ensure that GoldWave is updated to a patched version across all endpoints. Furthermore, security awareness training should emphasize the risks of processing untrusted files in multimedia software.

Description Summary:
StreamRipper32 version 2.6 contains a buffer overflow in the Station/Song Section. Attackers can provide a malicious SongPattern input to overwrite memory and execute arbitrary code.

Executive Summary:
A critical buffer overflow vulnerability in StreamRipper32 allows unauthenticated attackers to execute arbitrary code and gain full control over the host system via crafted song patterns.

Vulnerability Details

CVE-ID: CVE-2020-37065

Affected Software: StreamRipper32

Affected Versions: Version 2.6

Vulnerability: This is a classic buffer overflow vulnerability residing in the Station/Song Section. An unauthenticated attacker can craft a malicious payload exceeding 256 bytes in the SongPattern input, triggering a memory overwrite that allows for arbitrary code execution.

Business Impact

A successful exploit grants the attacker the same privileges as the user running the StreamRipper32 application. This can lead to full system compromise, including the installation of malware, data exfiltration, and lateral movement within the network. The CVSS score of 9.8 reflects the critical nature of remote code execution (RCE) vulnerabilities.

Remediation Plan

Immediate Action: Discontinue the use of StreamRipper32 version 2.6 and update to the latest available version or an alternative secure streaming utility.

Proactive Monitoring: Security teams should monitor for unusual process behavior originating from the StreamRipper32 executable, such as unexpected network connections or shell spawning.

Compensating Controls: Implement Endpoint Detection and Response (EDR) solutions to detect and block memory exploitation attempts and buffer overflow techniques at the host level.

Exploitation Status

Public Exploit Available: No

Analyst Notes: As of Feb 3, 2026, there is no public information indicating active exploitation of this vulnerability. Buffer overflows in legacy media applications are common targets for exploit researchers, making the potential for exploitation high.

Analyst Recommendation

Organizations should immediately identify and update or remove any instances of StreamRipper32 2.6 within their environment. Because this vulnerability allows for unauthenticated remote code execution, it represents a significant risk to any workstation where the software is deployed.

Executive Summary:
A high-severity vulnerability has been identified in BOOTP Turbo 2, affecting multiple products. An unauthenticated attacker on the local network could exploit this flaw to potentially execute arbitrary code on the affected server, leading to a complete system compromise and disruption of critical network services. Organizations are urged to apply vendor patches immediately to mitigate the significant risk of unauthorized access and network instability.

Vulnerability Details

CVE-ID: CVE-2020-37061

Affected Software: BOOTP Multiple Products

Affected Versions: See vendor advisory for specific affected versions

Vulnerability: This vulnerability is a buffer overflow within the BOOTP Turbo 2 service. The flaw occurs when the service improperly handles specially crafted BOOTP request packets. An unauthenticated attacker on the same network segment can send a malicious packet with an oversized payload, triggering the overflow and allowing for the execution of arbitrary code with the privileges of the BOOTP service. Successful exploitation does not require any user interaction or prior authentication.

Business Impact

This vulnerability is rated as High severity with a CVSS score of 7.8. Successful exploitation could lead to a complete compromise of the server running the BOOTP service. An attacker could gain a foothold in the network, install malware or ransomware, exfiltrate sensitive data, or pivot to attack other internal systems. Furthermore, since BOOTP is a foundational network service responsible for assigning IP addresses, its compromise could lead to a widespread denial-of-service condition, disrupting business operations that rely on network connectivity.

Remediation Plan

Immediate Action:

• Apply vendor security updates immediately to all affected systems to patch the vulnerability.
• After patching, monitor for any signs of exploitation attempts that may have occurred prior to remediation.
• Review system and network access logs for any anomalous activity originating from or targeting the BOOTP server.

Proactive Monitoring:

• Network Traffic: Utilize network intrusion detection/prevention systems (NIDS/NIPS) to monitor for malformed or unusually large BOOTP (UDP port 67) packets.
• Log Analysis: Scrutinize BOOTP server logs for repeated crashes, restarts, or error messages related to packet processing, which could indicate scanning or exploitation attempts.
• Host-Based Monitoring: Monitor the server for unexpected processes, unauthorized outbound network connections, or abnormal CPU and memory utilization.

Compensating Controls:

• Network Segmentation: Isolate the BOOTP server from critical assets and user workstations.
• Access Control: Implement strict firewall rules or Access Control Lists (ACLs) to restrict BOOTP traffic to only trusted network segments and authorized clients.
• Intrusion Prevention System (IPS): Deploy an IPS with updated signatures capable of detecting and blocking known exploit patterns for buffer overflow vulnerabilities in network services.

Exploitation Status

Public Exploit Available: false

Analyst Notes: As of February 2, 2026, there are no known public proof-of-concept exploits or active exploitation campaigns targeting this vulnerability. However, given the low complexity of exploitation for a network-based service, the likelihood of an exploit being developed is high. The vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.

Analyst Recommendation

Given the high severity (CVSS 7.8) of this vulnerability and its potential for complete system compromise, we strongly recommend that patching be treated as a critical priority. Organizations should apply the vendor-provided security updates to all affected BOOTP servers immediately. While there is no current evidence of active exploitation, the risk of future attacks is significant. If immediate patching is not feasible, implement the recommended compensating controls, particularly network segmentation and access control, to reduce the attack surface until updates can be deployed.

Executive Summary:
A high-severity vulnerability exists within the feedback module of multiple Online Exam System products, allowing for a SQL injection attack. An unauthenticated attacker can exploit this flaw to manipulate the application's database, potentially leading to the unauthorized access, modification, or theft of sensitive information such as student data, exam results, and administrative credentials.

Vulnerability Details

CVE-ID: CVE-2020-37057

Affected Software: Multiple Products utilizing the 'feedback module', including Online-Exam-System 2015.

Affected Versions: See vendor advisory for specific affected versions.

Vulnerability: The application's feedback module contains a SQL injection vulnerability due to insufficient input sanitization of the 'fid' parameter. An attacker can send a specially crafted request containing malicious SQL commands within the 'fid' parameter. Because the application incorporates this user-supplied data directly into a database query, the attacker's commands are executed by the database, allowing them to bypass security controls and interact directly with the underlying database.

Business Impact

This vulnerability is rated as High severity with a CVSS score of 8.2, posing a significant risk to the organization. Successful exploitation could lead to a severe data breach, compromising the confidentiality, integrity, and availability of the system. For an online exam platform, this could result in the theft of student personal information, alteration of grades, leakage of confidential exam questions, and reputational damage to the institution. The compromise of administrative credentials could allow an attacker to gain full control over the system, leading to widespread disruption.

Remediation Plan

Immediate Action:

• Apply Patches: Immediately deploy the security patches provided by the vendor to fix the root cause of the vulnerability.
• Review Access Controls: Audit the database user account used by the application. Ensure it operates under the principle of least privilege, with permissions restricted only to the necessary database operations.
• Enable Logging: Activate and monitor detailed database query logging. This will help in detecting potential exploitation attempts and aid in forensic analysis if a compromise is suspected.

Proactive Monitoring:

• Monitor web server and application logs for unusual requests targeting the feedback module, specifically looking for malformed or suspicious syntax in the 'fid' parameter.
• Analyze database logs for unexpected queries, errors, or queries that deviate from normal application behavior.
• Use a Web Application Firewall (WAF) to monitor and block traffic matching known SQL injection signatures.

Compensating Controls:

• Web Application Firewall (WAF): If patching is delayed, implement or configure a WAF with strict rules to detect and block SQL injection attack patterns against the 'fid' parameter.
• Input Validation: As a temporary measure, implement server-side validation to strictly sanitize and validate all data passed through the 'fid' parameter, allowing only expected data types and formats.
• Database Segmentation: Isolate the database server on a secure network segment to limit an attacker's ability to move laterally if the database is compromised.

Exploitation Status

Public Exploit Available: True

Analyst Notes: As of January 31, 2026, this vulnerability is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog. However, SQL injection is a well-documented and common vulnerability class, and proof-of-concept exploits are readily available for such flaws. Threat actors frequently scan for and exploit unpatched SQL injection vulnerabilities, making any unpatched, internet-facing system a likely target.

Analyst Recommendation
Given the High severity (CVSS 8.2) of this vulnerability and the critical nature of the data managed by an Online Exam System, immediate action is required. Although this CVE is not on the CISA KEV list, the ease of exploitation and potential for significant data compromise present a clear and present danger. We strongly recommend that organizations prioritize the immediate application of vendor patches. If patching is not feasible, the compensating controls outlined above, particularly the use of a WAF, should be implemented without delay to mitigate risk.

Executive Summary:
A critical IP spoofing vulnerability exists in Crystal Shard's http-protection middleware, identified as CVE-2020-37056. This flaw allows a remote attacker to bypass IP-based security controls, such as access lists or rate limiting, by manipulating specific HTTP headers. Successful exploitation could lead to unauthorized access to protected resources, denial-of-service conditions, or circumvention of security policies.

Vulnerability Details

CVE-ID: CVE-2020-37056

Affected Software: Crystal Shard Multiple Products

Affected Versions: http-protection version 0.2.0. See vendor advisory for specific affected products.

Vulnerability: The http-protection middleware fails to properly validate the source of IP address information, incorrectly trusting user-supplied HTTP headers. An unauthenticated, remote attacker can exploit this by sending a crafted HTTP request containing headers such as X-Forwarded-For, X-Client-IP, and X-Real-IP. By setting a consistent, arbitrary IP address value across these headers, the attacker can deceive the application into believing the request originates from a trusted or whitelisted IP, thereby bypassing security middleware designed to restrict access based on the source IP address.

Business Impact

This vulnerability is rated as critical with a CVSS score of 9.8, posing a severe risk to the organization. Exploitation could lead to a complete compromise of IP-based access controls, resulting in unauthorized access to sensitive applications, data, and administrative interfaces. This could facilitate data breaches, account takeovers, and further network intrusion. Additionally, bypassing rate-limiting protections could expose services to denial-of-service (DoS) attacks, impacting service availability and business continuity.

Remediation Plan

Immediate Action:

• Immediately apply security updates by upgrading all instances of Crystal Shard Multiple Products to the latest patched version as recommended by the vendor.
• Review access logs for any signs of past exploitation, such as successful logins or access from unexpected IP addresses that may have been spoofed.

Proactive Monitoring:

• Implement log monitoring rules to detect and alert on incoming web requests that contain multiple IP-forwarding headers (X-Forwarded-For, X-Client-IP, X-Real-IP).
• Analyze web server and application logs for anomalous access patterns, such as a high volume of requests from a single IP that is not a known proxy, or access attempts that bypass established IP blocklists.

Compensating Controls:

• If immediate patching is not feasible, configure upstream devices like load balancers or reverse proxies to strip these specific headers from client-initiated requests and set a trusted value before forwarding traffic to the application.
• Deploy a Web Application Firewall (WAF) with rules designed to detect and block requests with manipulated or conflicting IP-forwarding headers.
• Enforce multi-factor authentication (MFA) on all critical systems to provide an additional layer of security that does not rely on the source IP address.

Exploitation Status

Public Exploit Available: true

Analyst Notes: As of January 30, 2026, this vulnerability has been publicly disclosed. Given the straightforward nature of the exploit (header manipulation), it is highly likely that threat actors can easily craft exploits. Although not currently listed on the CISA KEV (Known Exploited Vulnerabilities) catalog, its high severity and ease of exploitation make it an attractive target.

Analyst Recommendation

Given the critical CVSS score of 9.8, this vulnerability requires immediate attention. The primary recommendation is to apply the vendor-supplied patches across all affected systems without delay. If patching must be postponed, the implementation of compensating controls, particularly reconfiguring the upstream reverse proxy to sanitize IP-related headers, is a critical stop-gap measure to mitigate the immediate risk of unauthorized access. Organizations should treat this as a high-priority vulnerability due to the significant potential for security control bypass.

Executive Summary:
A high-severity vulnerability exists in SpyHunter security products that could allow a local attacker to take full control of an affected system. The flaw, known as an unquoted service path, can be exploited by a malicious user with standard access to run their own code with the highest system privileges. This would allow an attacker to completely compromise the machine, steal data, and potentially move to other systems on the network.

Vulnerability Details

CVE-ID: CVE-2020-37055

Affected Software: SpyHunter Multiple Products

Affected Versions: See vendor advisory for specific affected versions

Vulnerability: This vulnerability is an Unquoted Service Path. The SpyHunter service executable's path is registered in Windows without being enclosed in quotation marks. If the path contains spaces (e.g., C:\Program Files\SpyHunter\service.exe), the Windows operating system may misinterpret it and attempt to execute files at each space-separated segment. An attacker with local access and permissions to write to a parent directory (like C:\) can place a malicious executable named Program.exe in that location. When the system attempts to start the SpyHunter service, it will execute the attacker's malicious file with SYSTEM-level privileges instead of the legitimate service.

Business Impact

This vulnerability is rated as High severity with a CVSS score of 7.8. Exploitation allows for a full privilege escalation, enabling an attacker with basic user access to gain complete administrative (SYSTEM) control over the affected endpoint. The business impact includes the potential for total system compromise, leading to data theft of sensitive corporate or personal information, deployment of ransomware or other persistent malware, and the ability for an attacker to use the compromised machine as a pivot point to attack other resources on the internal network. Since SpyHunter is a security product, its compromise could also be used to disable other security controls and evade detection.

Remediation Plan

Immediate Action: Apply the security updates provided by the vendor to all affected systems immediately. After patching, monitor system logs for any signs of pre-patch exploitation, such as unexpected service failures or unauthorized process execution. Review access logs to identify any accounts that may have been used to exploit this vulnerability.

Proactive Monitoring: Monitor Windows Event Logs (System and Security) for unusual service behavior, particularly Event ID 7000 (Service Start Failed) related to the SpyHunter service. Enable and monitor process creation logging (Event ID 4688) to detect suspicious executables (e.g., Program.exe, Common.exe) launching from root directories like C:\ or C:\Program Files.

Compensating Controls: If patching cannot be performed immediately, implement application control solutions like AppLocker or Windows Defender Application Control to prevent the execution of unauthorized executables from world-writable directories. Additionally, enforce strict file system permissions to prevent non-administrative users from creating files in root-level directories.

Exploitation Status

Public Exploit Available: true

Analyst Notes: As of February 2, 2026, this vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog. However, the technique for exploiting unquoted service paths is publicly known, well-documented, and trivial for an attacker with local access to execute. Privilege escalation is a common objective for threat actors after gaining an initial foothold, making vulnerabilities like this an attractive target.

Analyst Recommendation

Given the high severity (CVSS 7.8) and the simplicity of exploitation for an attacker who has already gained local access, we recommend that organizations prioritize patching this vulnerability immediately. Although it is not on the CISA KEV list, the risk of complete system compromise is significant. All endpoints running the affected SpyHunter products should be identified and updated to the latest version to mitigate the risk of privilege escalation and subsequent lateral movement within the network.

Executive Summary:
A critical vulnerability has been identified in AirControl products, designated CVE-2020-37052. This flaw allows an unauthenticated remote attacker to take complete control of the affected system by sending a specially crafted web request. Successful exploitation could lead to a full system compromise, data theft, and significant operational disruption.

Vulnerability Details

CVE-ID: CVE-2020-37052

Affected Software: AirControl Multiple Products

Affected Versions: Version 1.4.2 is confirmed vulnerable. See vendor advisory for a complete list of affected versions.

Vulnerability: This is a pre-authentication remote code execution (RCE) vulnerability. The flaw exists within the application's handling of the /.seam endpoint, which is vulnerable to Java expression injection. An unauthenticated attacker can craft a malicious URL containing Java expressions that, when processed by the server, are executed as system commands with the privileges of the AirControl application service.

Business Impact

This vulnerability carries a critical severity rating with a CVSS score of 9.8. Exploitation requires no authentication or user interaction, making it easy to automate and use for widespread attacks. A successful attack would result in a complete compromise of the server hosting the AirControl software, allowing an attacker to steal sensitive data, install malware or ransomware, disrupt services, and use the compromised system as a pivot point to move laterally within the corporate network. The potential business impact includes major data breaches, significant operational downtime, financial loss, and severe reputational damage.

Remediation Plan

Immediate Action:

• Immediately update all instances of AirControl to the latest patched version as recommended by the vendor.
• Consult the official vendor security advisory for specific patch information and detailed instructions.
• After patching, review web server and application logs for any signs of past exploitation attempts targeting the /.seam endpoint.

Proactive Monitoring:

• Monitor web server access logs for any requests to the /.seam endpoint. Pay close attention to requests with unusually long or complex URL parameters, as these may indicate exploitation attempts.
• Implement endpoint monitoring to detect suspicious processes being spawned by the AirControl application user.
• Monitor network traffic for unexpected outbound connections from the AirControl server, which could signify a successful compromise.

Compensating Controls:

• If immediate patching is not feasible, implement a Web Application Firewall (WAF) rule to block all access to the /.seam endpoint or filter requests containing patterns associated with Java expression injection.
• Restrict network access to the AirControl management interface to only trusted IP addresses and internal management networks.
• Run the AirControl service with the lowest possible user privileges to limit the impact of a potential compromise.

Exploitation Status

Public Exploit Available: true

Analyst Notes:
As of January 30, 2026, this is a critical pre-authentication RCE vulnerability that is simple to exploit. Vulnerabilities of this nature typically see rapid development of public proof-of-concept (PoC) exploits, and widespread scanning for vulnerable instances is highly likely. Although the CVE is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, its high severity and low attack complexity mean it is a prime target for threat actors. Organizations should assume active exploitation is occurring in the wild.

Analyst Recommendation
Given the critical CVSS score of 9.8 and the pre-authentication nature of this RCE vulnerability, we strongly recommend that immediate action be taken. The primary and most effective remediation is to apply the vendor-supplied patches to all affected AirControl systems without delay. If patching is not immediately possible, the compensating controls listed above, particularly restricting access and implementing WAF rules, must be deployed as a matter of urgency to reduce the attack surface. Furthermore, organizations should actively hunt for evidence of compromise, as systems may have been breached prior to the application of patches.

Executive Summary:
A high-severity vulnerability exists within the feedback form of the Online-Exam-System and potentially other products. This flaw, a time-based blind SQL injection, allows an unauthenticated attacker to manipulate the database and steal sensitive information, such as user password hashes. Successful exploitation could lead to a complete compromise of the application's database, resulting in a significant data breach.

Vulnerability Details

CVE-ID: CVE-2020-37051

Affected Software: feedback Multiple Products, including Online-Exam-System

Affected Versions: The 2015 version of Online-Exam-System is explicitly mentioned. See vendor advisory for a complete list of affected products and versions.

Vulnerability: The application's feedback form fails to properly sanitize user-supplied input before incorporating it into a database query. An attacker can submit specially crafted input containing malicious SQL commands. Because this is a "blind" SQL injection, the application does not directly return data or errors; instead, the attacker uses time-based commands (e.g., SLEEP() or WAITFOR DELAY) to force the database to pause for a specific duration based on true/false conditions. By measuring the server's response time, the attacker can infer information one character at a time, allowing for the methodical exfiltration of the entire database, including sensitive password hashes.

Business Impact

This vulnerability is rated as High severity with a CVSS score of 8.2. Exploitation could lead to a complete compromise of the underlying database, exposing all stored data. The primary business impact is a severe data breach, including the theft of user credentials (password hashes), which could grant attackers access to user accounts. This can result in significant reputational damage, loss of customer trust, and potential financial and legal repercussions related to data privacy regulations.

Remediation Plan

Immediate Action:

• Apply Patches: Immediately deploy the security patches provided by the vendor to fix the root cause of the vulnerability.
• Review Access Controls: Audit database user permissions to ensure the web application's account adheres to the principle of least privilege, limiting the potential impact of a compromise.
• Enable Logging: Activate and monitor detailed database query logging to detect and investigate suspicious queries indicative of an attack.

Proactive Monitoring:

• Monitor web application logs for unusually long response times or malformed requests targeting the feedback form.
• Analyze database logs for queries containing time-delay functions (e.g., SLEEP, BENCHMARK, WAITFOR DELAY) or other common SQL injection payloads.
• Utilize network monitoring to flag connections with abnormally high latency patterns, which could indicate a time-based exfiltration attempt.

Compensating Controls:

• Implement a Web Application Firewall (WAF) with a ruleset configured to detect and block SQL injection attacks.
• If possible, enforce strict input validation and parameterization at the application layer as an interim measure until patching can be completed.
• Restrict access to the feedback form to authenticated users only to reduce the attack surface from unauthenticated attackers.

Exploitation Status

Public Exploit Available: true

Analyst Notes: As of January 31, 2026, proof-of-concept exploits and automated tools for time-based blind SQL injection are widely available, making this vulnerability relatively easy for attackers to exploit. While this CVE is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, the high severity and availability of public exploits present a significant risk.

Analyst Recommendation
Given the high CVSS score of 8.2 and the potential for a complete database compromise, this vulnerability requires immediate attention. The primary recommendation is to apply the vendor-supplied patches across all affected systems without delay. Due to the wide availability of exploitation tools for this vulnerability class, organizations should treat this as a critical priority, even in the absence of a CISA KEV listing.

Executive Summary:
A critical buffer overflow vulnerability has been identified in Quick Player software, rated with a CVSS score of 9.8 out of 10. An attacker can exploit this flaw by tricking a user into opening a specially crafted malicious media file, which could allow the attacker to execute arbitrary code and gain full control of the affected system. This could lead to data theft, installation of malware, or further intrusion into the network.

Vulnerability Details

CVE-ID: CVE-2020-37050

Affected Software: Quick Player Multiple Products

Affected Versions: Version 1.3 is confirmed to be vulnerable. See vendor advisory for a complete list of affected products and versions.

Vulnerability: This vulnerability is a classic buffer overflow that occurs when the Quick Player application processes a specially crafted .m3l media playlist file. An attacker can create a .m3l file with an overly long data string that, when parsed by the application, exceeds the memory buffer allocated for it. This overflow can be leveraged to overwrite adjacent memory, including the instruction pointer, allowing the attacker to redirect the program's execution flow to a malicious payload (shellcode) embedded within the file, resulting in arbitrary code execution with the permissions of the user running the application.

Business Impact

The exploitation of this vulnerability carries a critical business impact, reflected by its CVSS score of 9.8. A successful attack would grant an adversary complete control over the compromised workstation, effectively making them an administrator on the machine. This level of access could lead to severe consequences, including the theft of sensitive corporate or personal data, deployment of ransomware, installation of persistent backdoors for long-term access, and the ability to use the compromised system as a pivot point to attack other resources on the internal network. The potential for data breaches, financial loss, and significant reputational damage is extremely high.

Remediation Plan

Immediate Action: Immediately update all instances of Quick Player Multiple Products to the latest version provided by the vendor to patch this vulnerability. Prioritize patching on systems used by employees with access to sensitive information and on all workstations with the vulnerable software installed. Following the update, monitor for any signs of prior exploitation by reviewing application and system access logs for suspicious activity.

Proactive Monitoring: Implement enhanced monitoring on endpoints where Quick Player is installed. Use Endpoint Detection and Response (EDR) tools to look for suspicious process chains, such as quickplayer.exe spawning command shells (cmd.exe, powershell.exe) or making unusual outbound network connections. Security teams should also monitor for an increase in Quick Player application crashes, as this can be an indicator of failed exploitation attempts.

Compensating Controls: If immediate patching is not feasible, implement the following compensating controls to reduce risk:

• User Education: Advise all users to be cautious and not open .m3l files from untrusted sources, such as email attachments or internet downloads.
• File Association: Disassociate the .m3l file extension from the Quick Player application to prevent users from accidentally opening a malicious file.
• Application Control: Utilize application whitelisting solutions to prevent Quick Player from executing unexpected child processes.

Exploitation Status

Public Exploit Available: False

Analyst Notes: As of the publication date of this advisory (Jan 30, 2026), there are no known public proof-of-concept exploits or observed in-the-wild attacks targeting CVE-2020-37050. However, buffer overflow vulnerabilities in file parsing mechanisms are well-understood, and it is highly probable that a functional exploit could be developed by threat actors with moderate skill. This vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.

Analyst Recommendation

Given the critical severity (CVSS 9.8) of this vulnerability and the potential for complete system compromise, we strongly recommend that organizations treat this as a high-priority issue. The required user interaction does not significantly diminish the risk, as social engineering tactics are highly effective. All vulnerable instances of Quick Player should be updated to the latest version immediately. Although there is no evidence of active exploitation at this time, the risk of future attacks is substantial, and organizations should act decisively to apply patches or implement mitigating controls without delay.

Executive Summary:
A high-severity vulnerability exists within the Iskysoft Application Framework Service 2, a component used across multiple Framework products. This flaw allows a local attacker with basic user permissions to escalate their privileges, potentially gaining complete administrative control over the affected system. Successful exploitation could lead to data theft, ransomware deployment, or further network intrusion.

Vulnerability Details

CVE-ID: CVE-2020-37048

Affected Software: Framework Multiple Products

Affected Versions: See vendor advisory for specific affected versions

Vulnerability: This vulnerability is a Local Privilege Escalation (LPE) due to insecure file permissions associated with the "Iskysoft Application Framework Service 2". A local attacker with low-level user access can replace the legitimate service executable with a malicious payload. When the service is started or restarted (e.g., during a system reboot), the operating system will execute the attacker's malicious code with SYSTEM-level privileges, resulting in a complete compromise of the host machine.

Business Impact

This vulnerability is rated as High severity with a CVSS score of 7.8. Exploitation allows an attacker who has already gained an initial foothold on a system to elevate their privileges to the highest level. This enables them to bypass all local security controls, access, modify, or exfiltrate sensitive data, install persistent malware like ransomware or backdoors, and use the compromised system as a pivot point for further attacks across the network. The business risk includes data breaches, operational disruption, and significant reputational damage.

Remediation Plan

Immediate Action: The primary remediation is to apply the security updates provided by the vendor to all affected systems immediately. After patching, review system and application logs for any signs of unauthorized service modification or execution that may have occurred prior to the update.

Proactive Monitoring: Implement monitoring to detect potential exploitation attempts. Watch for unusual modification or replacement of service executables, especially for services running with high privileges. Monitor Windows Event Logs for service-related errors or changes (e.g., Event IDs 7036, 7040, 7045) and look for unexpected child processes spawning from the "Iskysoft Application Framework Service 2".

Compensating Controls: If immediate patching is not feasible, apply temporary compensating controls. Use application control solutions (e.g., AppLocker) to prevent unauthorized executables from running. Harden file system permissions (ACLs) on the service's executable file and its installation directory to prevent modification by non-administrative users. If the service is not critical for business operations, consider disabling it until a patch can be applied.

Exploitation Status

Public Exploit Available: true

Analyst Notes: As of February 2, 2026, multiple public proof-of-concept (PoC) exploits are available for this vulnerability. While the CVE is not currently listed on CISA's Known Exploited Vulnerabilities (KEV) catalog, the public availability of exploit code significantly increases the risk of this vulnerability being used by threat actors in post-compromise scenarios to escalate privileges.

Analyst Recommendation

Given the high severity rating (CVSS 7.8) and the availability of public exploit code, immediate action is required. We strongly recommend that organizations prioritize the deployment of vendor-supplied security patches to all systems running the affected software. For systems where patching is delayed, the compensating controls outlined above should be implemented immediately to reduce the risk of privilege escalation. This vulnerability represents a critical link in a potential attack chain and must be addressed urgently.

Executive Summary:
A high-severity vulnerability exists within the Deep Instinct Windows Agent, identified as CVE-2020-37047. This flaw allows a local attacker with basic user permissions to escalate their privileges to the highest level (SYSTEM), enabling a complete compromise of the affected endpoint. Successful exploitation could lead to data theft, malware deployment, and lateral movement within the network.

Vulnerability Details

CVE-ID: CVE-2020-37047

Affected Software: Deep Instinct Windows Agent

Affected Versions: All versions prior to 1.9.0.51

Vulnerability: This vulnerability is a local privilege escalation due to improper permissions in the Deep Instinct Agent's application directory, a condition often leading to DLL hijacking. An authenticated attacker with low-level privileges on a local system can replace a specific Dynamic Link Library (DLL) file used by the agent with a malicious one. When the Deep Instinct agent service is started or restarted, it loads and executes the malicious DLL with SYSTEM-level privileges, granting the attacker full administrative control over the compromised machine.

Business Impact

This vulnerability is rated as High severity with a CVSS score of 7.8. If exploited, an attacker who has already gained initial low-privilege access can elevate their permissions to SYSTEM, effectively gaining complete control of the endpoint. This level of access would allow the attacker to bypass all security controls, disable the security agent itself, install persistent malware or ransomware, exfiltrate sensitive corporate data, and use the compromised system as a pivot point to attack other resources on the network. The potential business impact includes data breach, significant operational disruption, and reputational damage.

Remediation Plan

Immediate Action: Update the Deep Instinct Windows Agent to version 1.9.0.51 or a later version across all affected endpoints immediately. After patching, monitor systems for any signs of post-exploitation activity and review security logs for indicators of compromise that may have occurred prior to remediation.

Proactive Monitoring: Implement enhanced monitoring to detect potential exploitation attempts. Look for unusual file write operations or modifications to DLLs within the Deep Instinct installation directory. Monitor for suspicious child processes spawning from the Deep Instinct service (e.g., di_service.exe), such as cmd.exe or powershell.exe, and configure EDR alerts for known privilege escalation techniques.

Compensating Controls: If immediate patching is not feasible, implement the following controls to mitigate risk:

• Use File Integrity Monitoring (FIM) to alert on any changes to files within the Deep Instinct Agent's program directories.
• Apply strict access control lists (ACLs) to the agent's installation folder to prevent low-privilege users from writing or modifying files.
• Deploy application whitelisting solutions to prevent unauthorized DLLs from being loaded.

Exploitation Status

Public Exploit Available: true

Analyst Notes: As of the provided date of February 2, 2026, proof-of-concept (PoC) exploit code for this vulnerability is publicly and widely available. The vulnerability requires an attacker to have already achieved initial access to a target system, making it a common second-stage payload in an attack chain. While it is not currently listed on the CISA KEV catalog, the public availability of an exploit increases the risk of it being used by threat actors of varying skill levels.

Analyst Recommendation

Given the high severity (CVSS 7.8) and the public availability of a functional exploit, immediate remediation is strongly recommended. The ability for an attacker to gain full SYSTEM-level control presents a critical risk to the security of the endpoint and the broader network. Organizations must prioritize the deployment of the vendor-supplied security update for the Deep Instinct Windows Agent to all vulnerable systems to prevent potential compromise.

Executive Summary:
A high-severity vulnerability has been identified in multiple Veritas products, including NetBackup 7. This flaw could allow an attacker to compromise the backup infrastructure, potentially leading to unauthorized access, modification, or deletion of critical backup data, thereby severely impacting an organization's disaster recovery and business continuity capabilities.

Vulnerability Details

CVE-ID: CVE-2020-37045

Affected Software: Veritas Multiple Products

Affected Versions: Veritas NetBackup 7. See vendor advisory for specific affected versions.

Vulnerability: This vulnerability likely stems from an improper input validation or deserialization flaw within a core service of the Veritas NetBackup application. An unauthenticated remote attacker could exploit this by sending a specially crafted network packet to a listening service on the NetBackup server. Successful exploitation would result in arbitrary code execution with the privileges of the NetBackup service, granting the attacker a significant foothold on the system and access to the backup environment.

Business Impact

This vulnerability is rated as High severity with a CVSS score of 7.8. The business impact of a successful exploit is significant. As NetBackup servers manage an organization's most critical data backups, their compromise could lead to catastrophic consequences, including the theft of sensitive corporate or customer data, destruction or ransomware encryption of all backup sets, and a complete loss of disaster recovery capabilities. This poses a direct threat to business continuity and could result in severe financial loss, regulatory penalties, and reputational damage.

Remediation Plan

Immediate Action: The primary remediation is to apply the security updates provided by Veritas to all affected systems immediately. This action directly patches the vulnerability and is the most effective method of mitigating the risk. After patching, administrators should review system and application access logs for any signs of compromise that may have occurred prior to the update.

Proactive Monitoring: Implement enhanced monitoring on NetBackup servers. Security teams should look for unusual inbound connection attempts to NetBackup service ports, unexpected process creation or command execution by the NetBackup service account, and large or anomalous data transfers from the backup server. Configure alerts for repeated failed authentication attempts followed by a success from an unknown source.

Compensating Controls: If immediate patching is not feasible, implement the following compensating controls:

• Restrict network access to NetBackup servers and their management interfaces, allowing connections only from trusted administrative subnets.
• Use a host-based firewall to explicitly deny all traffic to the affected services from unauthorized sources.
• Increase the logging level for NetBackup applications and forward logs to a centralized SIEM for correlation and analysis.

Exploitation Status

Public Exploit Available: false

Analyst Notes: As of February 2, 2026, there is no known public proof-of-concept exploit code for this vulnerability. However, backup systems are high-value targets for threat actors, particularly ransomware groups, who seek to disable recovery options. The technical details of the vulnerability may become public, increasing the likelihood of exploit development.

Analyst Recommendation

Due to the high severity of this vulnerability and the critical role of NetBackup in maintaining business continuity, we strongly recommend that organizations prioritize the immediate application of vendor-supplied security updates. Although this vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, its potential for severe disruption warrants urgent attention. All compensating controls should be considered secondary to patching and should be implemented if a maintenance window for patching is not immediately available.

Executive Summary:
A critical buffer overflow vulnerability, identified as CVE-2020-37043, exists in 10-Strike Bandwidth Monitor version 3.9. This flaw allows an unauthenticated remote attacker to gain complete control over an affected system by sending a specially crafted registration key. Successful exploitation bypasses modern security protections and enables the attacker to execute arbitrary commands, leading to a full system compromise.

Vulnerability Details

CVE-ID: CVE-2020-37043

Affected Software: 10-Strike Bandwidth Monitor

Affected Versions: 3.9

Vulnerability: This vulnerability is a classic buffer overflow that occurs in the input field for the application's registration key. An attacker can send a malicious payload that is longer than the buffer allocated for the key. This action overwrites adjacent memory on the stack, allowing the attacker to hijack the program's execution flow. The exploit is sophisticated enough to bypass standard memory protection mechanisms, including SafeSEH, Address Space Layout Randomization (ASLR), and Data Execution Prevention (DEP), ultimately resulting in remote code execution (RCE) with the privileges of the application.

Business Impact

This vulnerability is rated as critical severity with a CVSS score of 9.8. A successful exploit would grant an attacker complete control over the system running the vulnerable software. This could lead to severe consequences, including the theft of sensitive network monitoring data, deployment of ransomware, disruption of critical network visibility, and using the compromised machine as a pivot point to launch further attacks against the internal network. The confidentiality, integrity, and availability of the affected system and the network it monitors are at extreme risk.

Remediation Plan

Immediate Action: Update 10-Strike Bandwidth Monitor to the latest version provided by the vendor to patch the vulnerability. After updating, monitor for any further exploitation attempts and review application and system access logs for any suspicious activity related to the registration function that occurred prior to patching.

Proactive Monitoring: Implement enhanced monitoring to detect potential exploitation attempts. This includes analyzing application logs for malformed or excessively long registration key entries, using an Endpoint Detection and Response (EDR) solution to watch for the Bandwidth Monitor process spawning unexpected child processes (e.g., cmd.exe, powershell.exe), and monitoring network traffic for unusual outbound connections from the host.

Compensating Controls: If patching cannot be performed immediately, implement compensating controls to reduce risk. Restrict network access to the application's management interface, particularly the registration function, to only trusted IP addresses and authorized administrators. Deploy an Intrusion Prevention System (IPS) or Web Application Firewall (WAF) with rules to detect and block oversized inputs to the registration key field.

Exploitation Status

Public Exploit Available: False

Analyst Notes: As of January 30, 2026, this vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, and there are no widely available public exploits. However, the detailed description of the vulnerability, including its ability to bypass multiple advanced memory protections, suggests that a functional exploit is highly feasible and may be in development or used by sophisticated threat actors.

Analyst Recommendation

Given the critical CVSS score of 9.8 and the potential for complete system compromise, immediate remediation is strongly recommended. Organizations must prioritize patching all instances of 10-Strike Bandwidth Monitor 3.9 to the latest secure version. If patching is delayed, the compensating controls listed above must be implemented as a matter of urgency to mitigate the high risk of exploitation. Due to the severity and nature of the vulnerability, organizations should treat this as an active threat and assume it could be exploited at any time.