A critical vulnerability has been identified in AirControl products, designated CVE-2020-37052. This flaw allows an unauthenticated remote attacker to take complete control of the affected system by sending a specially crafted web request. Successful exploitation could lead to a full system compromise, data theft, and significant operational disruption.

This is a pre-authentication remote code execution (RCE) vulnerability. The flaw exists within the application's handling of the /.seam endpoint, which is vulnerable to Java expression injection. An unauthenticated attacker can craft a malicious URL containing Java expressions that, when processed by the server, are executed as system commands with the privileges of the AirControl application service.

This vulnerability carries a critical severity rating with a CVSS score of 9.8. Exploitation requires no authentication or user interaction, making it easy to automate and use for widespread attacks. A successful attack would result in a complete compromise of the server hosting the AirControl software, allowing an attacker to steal sensitive data, install malware or ransomware, disrupt services, and use the compromised system as a pivot point to move laterally within the corporate network. The potential business impact includes major data breaches, significant operational downtime, financial loss, and severe reputational damage.

Immediate Action:

• Immediately update all instances of AirControl to the latest patched version as recommended by the vendor.
• Consult the official vendor security advisory for specific patch information and detailed instructions.
• After patching, review web server and application logs for any signs of past exploitation attempts targeting the /.seam endpoint.

Proactive Monitoring:

• Monitor web server access logs for any requests to the /.seam endpoint. Pay close attention to requests with unusually long or complex URL parameters, as these may indicate exploitation attempts.
• Implement endpoint monitoring to detect suspicious processes being spawned by the AirControl application user.
• Monitor network traffic for unexpected outbound connections from the AirControl server, which could signify a successful compromise.

Compensating Controls:

• If immediate patching is not feasible, implement a Web Application Firewall (WAF) rule to block all access to the /.seam endpoint or filter requests containing patterns associated with Java expression injection.
• Restrict network access to the AirControl management interface to only trusted IP addresses and internal management networks.
• Run the AirControl service with the lowest possible user privileges to limit the impact of a potential compromise.

Public Exploit Available: true

Given the critical CVSS score of 9.8 and the pre-authentication nature of this RCE vulnerability, we strongly recommend that immediate action be taken. The primary and most effective remediation is to apply the vendor-supplied patches to all affected AirControl systems without delay. If patching is not immediately possible, the compensating controls listed above, particularly restricting access and implementing WAF rules, must be deployed as a matter of urgency to reduce the attack surface. Furthermore, organizations should actively hunt for evidence of compromise, as systems may have been breached prior to the application of patches.