Document Title: VisualWare MyConnection Server 11.x Remote Code Execution Vulnerability CVE Name: CVE-2021-27198 Vulnerability Class: CWE-434: Unrestricted Upload of File with Dangerous Type Impact: Remote Code Execution Exploitability: - Remotely Exploitable: Yes - Locally Exploitable: Yes Release Date: 2020-02-25 Affected Product(s): VisualWare MyConnection Server 11.0 through 11.0b build 5382 Severity Level: High Vulnerability Description: An unauthenticated remote code execution vulnerability was discovered in Visualware MyConnection Server 11.0 through 11.0b build 5382. The web endpoint at "https://example.com/myspeed/sf" provides an unauthenticated user the ability to upload an arbitrary file to an arbitrary location via a specially crafted POST request. This application is written in Java and is thus cross-platform. The Windows installation executes the web server as SYSTEM which means that exploitation provides Administrator privileges on the target system. Vulnerability Disclosure Timeline: - 2021-01-11: Contacted VisualWare About Issue via Website Contact Form - 2021-02-03: Emailed Multiple VisualWare POCs Requesting Disclosure Assistance - 2021-02-11: Requested CVE from MITRE for vulnerability - 2021-02-12: Messaged Lead VisualWare Developer on LinkedIn After Seeing They Had Looked At My Profile. I assume because of my attempts to contact them - 2021-02-18: Notified VisualWare About Issue Again via Website Contact Form And Notified Them I Would be Disclosing if they did not respond - 2021-02-25: Publicly releasing vulnerability because company refuses to respond to any attempts to coordinate disclosure