CVE-2024-36074 is a remote code execution vulnerability found in Netwrix CoSoSys Endpoint Protector through version 5.9.3 and CoSoSys Unify through version 7.0.6. The vulnerability stems from the mechanism by which the client agents acquire the EasyLock dependency from the management server. Specifically, an attacker who has administrative access to the Endpoint Protector or Unify server can manipulate the server to deliver a malicious payload disguised as the EasyLock dependency. When the client agent downloads and executes this payload, it results in arbitrary code execution on the client machine. This flaw is categorized under CWE-94, indicating improper control over code generation or execution. The attack vector is network-based (AV:N), requires low attack complexity (AC:L), but demands high privileges on the server (PR:H) and no user interaction (UI:N). The vulnerability impacts confidentiality, integrity, and availability, as an attacker can execute arbitrary code remotely, potentially taking full control of affected endpoints. No patches or exploit code are currently publicly available, but the risk is elevated due to the nature of the vulnerability and the privileged access required to exploit it.

The exploitation of CVE-2024-36074 can have severe consequences for organizations using Netwrix CoSoSys Endpoint Protector or CoSoSys Unify. An attacker with administrative access to the management server can execute arbitrary code on client endpoints, potentially leading to full system compromise. This can result in data breaches, unauthorized access to sensitive information, disruption of endpoint security controls, and lateral movement within the network. Since the vulnerability affects endpoint protection software, successful exploitation could undermine the security posture of an organization by disabling or manipulating security agents. The impact spans confidentiality, integrity, and availability, making it a critical concern for enterprises relying on these products for data loss prevention and endpoint security management.

Organizations should immediately verify if they are running vulnerable versions of Netwrix CoSoSys Endpoint Protector (up to 5.9.3) or CoSoSys Unify (up to 7.0.6). Since no official patches are currently listed, administrators should restrict administrative access to the Endpoint Protector and Unify servers to trusted personnel only and enforce strong authentication and network segmentation to limit exposure. Monitoring and auditing server access logs for suspicious activity is critical. Additionally, organizations should consider implementing application allowlisting on client endpoints to prevent unauthorized execution of unexpected binaries. Network-level controls such as restricting client agent communication to only trusted servers and employing intrusion detection systems to flag anomalous payload deliveries can help mitigate risk. Once vendor patches or updates become available, prompt application is essential. Regular backups and incident response readiness will also help minimize damage if exploitation occurs.