Jan Friedli

**Name of the Vulnerable Software and Affected Versions** Ahsay AhsayCBS version 9.1.4.0 **Description** The issue allows an authenticated system user to inject arbitrary Java JVM options. Administrators with the ability to modify the Runtime Options in the web interface can inject Java Runtime Options, which take effect after a restart. This can enable an attacker to enable JMX services, potentially achieving remote code execution as the system user. **Recommendations** For Ahsay AhsayCBS version 9.1.4.0, consider restricting access to the Runtime Options in the web interface to prevent arbitrary Java JVM options injection until a patch is available. As a temporary workaround, avoid using the feature to modify Runtime Options to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.