CVE-2024-36075 is a vulnerability identified in CoSoSys Endpoint Protector (up to version 5.9.3) and Unify agent (up to version 7.0.6) that allows arbitrary code execution on endpoint devices. The root cause is the insecure handling and extraction of archive files retrieved from the Endpoint Protector or Unify server. Specifically, if an attacker can modify the archive on the server, they can craft malicious payloads embedded within the archive that, when extracted on the endpoint, execute arbitrary code with administrator privileges. This vulnerability is categorized under CWE-94 (Improper Control of Generation of Code), indicating that the system improperly handles code generation or execution. The attack vector is network-based (AV:N), with low attack complexity (AC:L), but requires privileges on the server (PR:L) and no user interaction (UI:N). The scope is unchanged (S:U), meaning the impact is limited to the vulnerable component. The vulnerability primarily impacts the integrity of the system by allowing unauthorized code execution but does not directly affect confidentiality or availability. No patches or exploit code are currently publicly available, and no active exploitation has been reported. However, the potential for remote code execution with administrative privileges on endpoints makes this a significant risk for affected organizations.

The primary impact of CVE-2024-36075 is the potential for remote code execution on endpoint devices with administrative privileges, which can lead to full system compromise. An attacker who can modify the archive on the server can execute arbitrary commands, potentially installing malware, stealing data, or disrupting endpoint operations. This undermines the integrity of the endpoint environment and could facilitate lateral movement within an organization’s network. Although confidentiality and availability impacts are not directly indicated, the ability to execute arbitrary code could be leveraged to escalate privileges, exfiltrate sensitive information, or disrupt endpoint functionality indirectly. Organizations relying on CoSoSys Endpoint Protector or Unify agents are at risk, especially if the attacker has access to the server environment or can intercept and modify the archive files. The medium CVSS score reflects the requirement for some level of privilege on the server and the absence of user interaction, but the administrative level code execution on endpoints elevates the threat considerably.

1. Immediately verify and apply any available patches or updates from CoSoSys addressing this vulnerability once released. 2. Restrict and monitor access to the Endpoint Protector and Unify servers to prevent unauthorized modification of archive files. Implement strict access controls and audit logging on these servers. 3. Employ network segmentation to isolate management servers from general user networks, reducing the risk of attacker access. 4. Use file integrity monitoring on the server to detect unauthorized changes to archive files before they are distributed to endpoints. 5. Consider implementing endpoint application whitelisting to prevent execution of unauthorized code, even if malicious payloads are delivered. 6. Regularly review and harden server configurations to minimize privilege escalation opportunities. 7. Monitor endpoint and server logs for unusual activity indicative of exploitation attempts. 8. Educate administrators on the risks of this vulnerability and the importance of securing the server environment. 9. If patching is delayed, consider temporarily disabling automatic archive extraction or deploying compensating controls to validate archive integrity before extraction.