A critical vulnerability has been identified in multiple Security Point products that allows a remote, unauthenticated attacker to gain complete control of affected Windows systems. By sending a specially crafted network request, an attacker can execute arbitrary code with the highest system privileges, leading to a full system compromise. Organizations are urged to apply the vendor-supplied patch immediately to prevent potential exploitation.

The vulnerability is a stack-based buffer overflow within the component that processes HTTP headers. An unauthenticated attacker on the network can send a specially crafted HTTP request containing an overly long header value. This action overflows the buffer allocated on the program's stack, allowing the attacker to overwrite critical control data and inject malicious code, which is then executed with SYSTEM-level privileges, the highest level of access on a Windows operating system.

This vulnerability is rated as critical severity with a CVSS score of 9.8, reflecting the extreme risk it poses to the organization. Successful exploitation would grant an attacker complete control over the affected system, potentially leading to the theft of sensitive data, deployment of ransomware, or use of the compromised system as a pivot point for further attacks within the internal network. Since Security Point is a security product, its compromise could also lead to the disabling of critical security controls, rendering the organization blind to the attacker's subsequent activities and resulting in a catastrophic breach.

Immediate Action: Immediately apply the security updates provided by the vendor to all affected instances of Security Point products. Prioritize patching for systems that are accessible from untrusted networks. After patching, verify that the update was successfully installed and the service is running correctly.

Proactive Monitoring: Implement enhanced monitoring on affected systems. Security teams should look for:

• Anomalous or malformed HTTP requests in network traffic logs targeting the Security Point application.
• Unexpected crashes or restarts of the Security Point service.
• Unusual outbound network connections or new processes being spawned by the Security Point service on host systems.
• Endpoint Detection and Response (EDR) alerts indicating suspicious activity originating from the Security Point process.

Compensating Controls: If immediate patching is not feasible, implement the following controls to reduce the risk of exploitation:

• Deploy a Web Application Firewall (WAF) or Intrusion Prevention System (IPS) with rules to inspect and block overly long or malformed HTTP headers before they reach the vulnerable application.
• Restrict network access to the vulnerable service, allowing connections only from trusted IP addresses and administrative subnets.
• Implement network segmentation to limit the potential for lateral movement from the compromised host to other critical assets.

Public Exploit Available: False

Given the critical severity of this vulnerability and the potential for complete system compromise by an unauthenticated attacker, this issue must be treated as a top priority. Organizations must apply the vendor-provided patches to all affected systems immediately. Although this CVE is not currently on the CISA KEV list, its characteristics make it a prime candidate for future inclusion and a highly attractive target for attackers. If patching is delayed, the compensating controls outlined above should be implemented without delay to mitigate the immediate risk.