CVE-2020-15860

Name of the Vulnerable Software and Affected Versions Parallels Remote Application Server (RAS) version 17.1.1

Description The issue is a Business Logic Error that allows remote code execution. It enables an authenticated user to execute any application in the backend operating system through the web application, even if the affected application is not published. Furthermore, it is possible to access any host in the internal domain, regardless of whether it has published applications or if the host is no longer associated with the server farm.

Recommendations For Parallels Remote Application Server (RAS) version 17.1.1, consider restricting access to the web application to minimize the risk of exploitation until a fix is available. As a temporary workaround, limit the execution of applications in the backend operating system to only those that are necessary and published. Additionally, restrict access to internal domain hosts to prevent unauthorized access. At the moment, there is no information about a newer version that contains a fix for this vulnerability.