CVE-2021-42954

Name of the Vulnerable Software and Affected Versions Zoho Remote Access Plus Server Windows Desktop Binary versions prior to 10.1.2121.1

Description The issue is related to incorrect access control, where the installation directory has weak file permissions, allowing full control for the Windows Everyone user group. This includes non-admin and guest users, which can lead to privilege escalation, unauthorized password reset, stealing of sensitive data, access to credentials in plaintext, access to registry values, and tampering with configuration files.

Recommendations For versions prior to 10.1.2121.1, update to version 10.1.2121.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the installation directory to prevent unauthorized access until a patch is applied. Restrict access to sensitive data and credentials to minimize the risk of exploitation.