CVE-2021-31769
📋 TL;DR
CVE-2021-31769 allows unprivileged users to execute arbitrary operating system commands on MyQ X Smart servers. This occurs due to an authorization bypass in the 'Select server file' feature and insecure session data storage. Organizations running vulnerable MyQ Server versions are affected.
💻 Affected Systems
- MyQ X Smart
📦 What is this software?
Myq Server by Myq Solution
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise allowing attackers to install malware, steal data, pivot to other systems, or deploy ransomware across the network.
Likely Case
Attackers gain administrative access to the MyQ server, potentially compromising print infrastructure and using it as a foothold for lateral movement.
If Mitigated
Limited impact with proper network segmentation and access controls preventing exploitation attempts.
🎯 Exploit Status
Public exploit code demonstrates command injection via Task Scheduler. Attack requires network access to MyQ server but no authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 8.2 or later
Vendor Advisory: https://www.myq-solution.com/en/support/security-advisories
Restart Required: Yes
Instructions:
1. Download MyQ X Smart version 8.2 or newer from official vendor portal. 2. Backup current configuration. 3. Run installer to upgrade. 4. Restart MyQ services. 5. Verify version in administration interface.
🔧 Temporary Workarounds
Restrict access to PHP Sessions directory
windowsSet strict permissions on %PROGRAMFILES%\MyQ\PHP\Sessions to prevent unauthorized reading of session data
icacls "%PROGRAMFILES%\MyQ\PHP\Sessions" /inheritance:r /grant:r "Administrators:(OI)(CI)F" /grant:r "SYSTEM:(OI)(CI)F"
Network segmentation
allIsolate MyQ server from internet and restrict internal access to authorized users only
🧯 If You Can't Patch
- Implement strict network access controls to limit connections to MyQ server from trusted IP addresses only
- Monitor %PROGRAMFILES%\MyQ\PHP\Sessions directory for unauthorized access attempts and review Task Scheduler logs for suspicious entries
🔍 How to Verify
Check if Vulnerable:
Check MyQ version in administration interface. If version is below 8.2, system is vulnerable. Also verify if %PROGRAMFILES%\MyQ\PHP\Sessions directory has weak permissions.Check Version:
Check version in MyQ web interface at http://[server-ip]:port or review installed programs in Windows Control PanelVerify Fix Applied:
Confirm MyQ version is 8.2 or higher in administration interface. Test that unauthenticated users cannot access administrative features.📡 Detection & Monitoring
Log Indicators:
- Unauthorized access attempts to administrative endpoints
- Unusual Task Scheduler entries creating PHP files
- Access to %PROGRAMFILES%\MyQ\PHP\Sessions by non-admin users
Network Indicators:
- Unusual HTTP requests to MyQ administrative endpoints from unauthorized sources
- Command and control traffic originating from MyQ server
SIEM Query:
source="myq-server" AND (uri_path="/admin/*" OR uri_path="/task/*") AND user="anonymous" OR source="windows-security" AND event_id=4688 AND process_name="cmd.exe" AND parent_process="myq*"