Backdoor in 3CX Electron desktop app for Windows and Mac

1) Embedded malicious code (backdoor)

EUVDB-ID: #VU74216

Risk: Critical

CVSSv4.0: 9.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Red]

CVE-ID: CVE-2023-29059

CWE-ID: CWE-506 - Embedded Malicious Code

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain unauthorized access to the application.

The vulnerability exists due to presence of embedded malicious functionality in the application code (aka backdoor) that allows a remote attacker to gain unauthorized access to the application.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Electron Mac App: 18.11.1213 - 18.12.416

Electron Windows App: 18.12.407 - 18.12.416

CPE2.3

• cpe:2.3:a:3cx:electron_mac_app:18.11.1213:*:*:*:*:*:*:*
• cpe:2.3:a:3cx:electron_mac_app:18.12.402:*:*:*:*:*:*:*
• cpe:2.3:a:3cx:electron_mac_app:18.12.407:*:*:*:*:*:*:*
• cpe:2.3:a:3cx:electron_windows_app:18.12.407:*:*:*:*:*:*:*
• cpe:2.3:a:3cx:electron_windows_app:18.12.416:*:*:*:*:*:*:*

External links

http://www.3cx.com/blog/news/desktopapp-security-alert/
http://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/
http://www.crowdstrike.com/blog/crowdstrike-detects-and-prevents-active-intrusion-campaign-targeting-3cxdesktopapp-customers/
http://success.trendmicro.com/dcx/s/solution/000292711?language=en_US

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.