A high-severity vulnerability has been discovered in multiple Anritsu products, allowing for remote code execution. An attacker could exploit this flaw by tricking a user or an automated system into processing a specially crafted CHX file, which could lead to a complete compromise of the affected device, data theft, and further intrusion into the network.

This vulnerability is a deserialization of untrusted data flaw that occurs when the affected Anritsu software parses a malicious ShockLine CHX file. An unauthenticated remote attacker can create a specially crafted .chx file containing malicious code. When the software attempts to open and deserialize the data within this file, it fails to properly validate the input, allowing the embedded code to be executed on the system with the same privileges as the user running the software.

This vulnerability is rated as High severity with a CVSS score of 7.8. Successful exploitation allows a remote attacker to execute arbitrary code, leading to a full system compromise. The potential consequences include theft of sensitive intellectual property or measurement data, installation of malware such as ransomware, disruption of critical testing and measurement operations, and using the compromised system as a pivot point to attack other assets on the corporate network. This poses a significant risk to operational integrity and data confidentiality.

Immediate Action:

• Patch Immediately: Identify all vulnerable Anritsu systems and apply the security patches provided by the vendor. Prioritize patching for any systems that are internet-facing or accessible from less trusted network zones.
• Monitor and Log: Begin actively monitoring for signs of exploitation. Review application and system access logs for any unusual activity related to the processing of .chx files or unexpected outbound network connections from affected devices.

Proactive Monitoring:

• Network Traffic Analysis: Monitor for anomalous outbound traffic from Anritsu systems to unknown destinations, which could indicate a command-and-control (C2) channel.
• Log Analysis: Scrutinize application logs for errors or crashes related to file parsing. In endpoint detection and response (EDR) logs, look for the Anritsu software process spawning unexpected child processes (e.g., cmd.exe, powershell.exe).
• File Integrity Monitoring: Monitor for the creation of suspicious files or scripts on systems running the vulnerable software.

Compensating Controls:

• Network Segmentation: Isolate systems running the vulnerable software from the internet and other critical network segments to limit the potential impact of a compromise.
• Restrict File Uploads: If applicable, implement strict controls to only allow .chx files from trusted, verified sources to be processed by the software.
• Application Whitelisting: Use application control solutions to prevent the Anritsu software process from executing unauthorized commands or binaries.

Public Exploit Available: false

Given the high severity (CVSS 7.8) of this remote code execution vulnerability, we recommend that all organizations using the affected Anritsu products take immediate action. Although this vulnerability is not yet listed on the CISA KEV catalog, the potential for full system compromise presents a significant risk. Priority should be given to applying the vendor-supplied patches to all vulnerable systems, starting with those exposed to the internet. If patching is delayed, implement the suggested compensating controls to reduce the attack surface and proactively monitor for any signs of compromise.