Atera’s remote monitoring and management software was found to have zero-day vulnerabilities in its Windows Installers, posing serious risks of privilege escalation attacks.
Discovered by Mandiant, the flaws enabled attackers to execute arbitrary code with elevated privileges, making them a significant threat to organizations. The vulnerabilities, assigned as CVE-2023-26077 and CVE-2023-26078, were addressed in subsequent versions of the software released by Atera, but their discovery highlights the importance of thorough security reviews and proactive measures to protect against escalating threats.
The specific weaknesses found in the MSI installer’s repair functionality allowed operations to be triggered from an NT AUTHORITY\SYSTEM context, even if initiated by a standard user.
By exploiting these flaws, attackers could gain access to a Command Prompt as the NT AUTHORITY\SYSTEM user, potentially enabling local privilege escalation attacks.
Security researcher Andrew Oliveau warned about the potential risks, emphasizing the importance of properly managing Custom Actions to prevent such exploits. The vulnerabilities were patched in versions 1.8.3.7 and 1.8.4.9 released by Atera in April and June 2023, respectively, but prior to that, they served as a springboard for attacks that could execute arbitrary code with elevated privileges, posing significant risks to organizations and their systems.
