CVE-2026-45322

Name of the Vulnerable Software and Affected Versions Microsoft UFO versions prior to 3.0.1

Description An OS command injection issue exists in the shell action replay path. The functions ShellReceiver.run shell() and ShellReceiver.execute command() pass command strings from action parameters directly to subprocess.Popen() using shell=True and executable=powershell.exe. These functions are triggered by action classes such as RunShellCommand.execute() and ExecuteCommand.execute(), which forward stored action parameters. Since the framework stores planned and executed actions in per-session JSON records, an attacker capable of writing or modifying these JSON files can plant a shell action. This allows the execution of arbitrary commands as the process user when the session is resumed or replayed.

Recommendations Update to a version later than 3.0.0.