This is a summary of the AI-generated 10-question deep analysis. The full version (longer answers, follow-up Q&A, related CVEs) requires login. Read the full analysis β
Q1What is this vulnerability? (Essence + Consequences)
π¨ **Essence**: Improper input validation in SecurEnvoy MFA leads to **LDAP Injection**.β¦
π‘οΈ **Root Cause**: **LDAP Injection** due to insufficient validation of user-supplied input. π **CWE**: Not explicitly mapped in data, but technically corresponds to **CWE-90** (LDAP Injection).
Q3Who is affected? (Versions/Components)
π¦ **Affected**: **SecurEnvoy MFA** versions **before 9.4.514**. π **Specifically**: Version 9.4.513 and earlier are vulnerable. π¬π§ Vendor: SecurEnvoy (UK).
Q4What can hackers do? (Privileges/Data)
π° **Attacker Gain**: Exfiltrate Active Directory data via **blind LDAP injection**. π **Critical Data**: Access to `ms-Mcs-AdmPwd` attribute, revealing **cleartext Local Administrator passwords** (LAPS feature).
Q5Is exploitation threshold high? (Auth/Config)
π **Threshold**: **LOW**. π **Auth**: **Unauthenticated** remote access required. βοΈ **Target**: DESKTOP service exposed on the `/secserver` HTTP endpoint. No login needed to exploit.
Q6Is there a public Exp? (PoC/Wild Exploitation)
π» **Exploit Status**: **Yes**, Public PoC available. π **Links**: GitHub repos by `optistream` and `noways-io` provide check scripts. π **Nuclei**: Template available for automated scanning.
Q7How to self-check? (Features/Scanning)
π **Self-Check**: Use the provided **PoC scripts** or **Nuclei templates** to scan for LDAP injection responses. π‘ **Indicator**: Look for blind LDAP injection behaviors on the `/secserver` endpoint.
Q8Is it fixed officially? (Patch/Mitigation)
β **Fix Available**: **Yes**. π **Version**: Upgrade to **SecurEnvoy MFA >= 9.4.514**. π **Action**: Check vendor support portal for the patched release.
Q9What if no patch? (Workaround)
π§ **No Patch?**: Isolate the `/secserver` endpoint. π« **Block**: Restrict network access to the DESKTOP service. π **Mitigate**: Implement WAF rules to filter LDAP special characters in inputs.
Q10Is it urgent? (Priority Suggestion)
π₯ **Urgency**: **CRITICAL**. π¨ **Reason**: Unauthenticated + Cleartext Admin Passwords. β‘ **Priority**: Patch immediately to prevent full domain compromise via LAPS theft.