CVE-2021-27198

Name of the Vulnerable Software and Affected Versions: Visualware MyConnection Server versions prior to 11.1a

Description: An issue was discovered in Visualware MyConnection Server that allows Unauthenticated Remote Code Execution via Arbitrary File Upload in the web service when using a "myspeed/sf?filename=" URI. This application is written in Java and is thus cross-platform. The Windows installation runs as SYSTEM, which means that exploitation gives one Administrator privileges on the target system.

Recommendations: For versions prior to 11.1a, update to version 11.1a or later to resolve the issue. As a temporary workaround, consider restricting access to the "myspeed/sf" API endpoint to minimize the risk of exploitation. Avoid using the filename parameter in the affected API endpoint until the issue is resolved.