CVE-2021-36356
📋 TL;DR
CVE-2021-36356 is a critical remote code execution vulnerability in KRAMER VIAware software that allows attackers to execute arbitrary code by sending specially crafted requests to the ajaxPages/writeBrowseFilePathAjax.php endpoint. This affects all KRAMER VIAware installations through August 2021. The vulnerability exists due to an incomplete fix for CVE-2019-17124.
💻 Affected Systems
- KRAMER VIAware
📦 What is this software?
Viaware by Kramerav
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to execute arbitrary commands with system-level privileges, potentially leading to data theft, ransomware deployment, or persistent backdoor installation.
Likely Case
Remote attackers gain shell access to the affected system, enabling them to install malware, pivot to internal networks, or disrupt operations.
If Mitigated
With proper network segmentation and access controls, impact is limited to the isolated VIAware system only.
🎯 Exploit Status
Exploitation requires no authentication and has publicly available proof-of-concept code. The vulnerability is actively exploited in the wild.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after August 2021
Vendor Advisory: https://www.kramerav.com/us/product/viaware
Restart Required: Yes
Instructions:
1. Contact KRAMER support for the latest VIAware update. 2. Backup current configuration. 3. Apply the patch/update. 4. Restart the VIAware service. 5. Verify the fix is applied.
🔧 Temporary Workarounds
Block vulnerable endpoint
allBlock access to the vulnerable PHP file via web server configuration or firewall rules
# Apache: RewriteRule ^ajaxPages/writeBrowseFilePathAjax\.php$ - [F]
# Nginx: location ~ ^/ajaxPages/writeBrowseFilePathAjax\.php$ { return 403; }
Restrict network access
linuxLimit VIAware access to trusted networks only using firewall rules
# iptables example: iptables -A INPUT -p tcp --dport 80 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
🧯 If You Can't Patch
- Immediately isolate the VIAware system from internet access and restrict to internal trusted networks only
- Implement strict network segmentation and monitor for suspicious activity targeting the vulnerable endpoint
🔍 How to Verify
Check if Vulnerable:
Check if ajaxPages/writeBrowseFilePathAjax.php is accessible and accepts arbitrary path parameters. Test with controlled payloads in a safe environment.Check Version:
Check VIAware version in web interface or configuration files. Typically found in /var/www/viaware/ or similar web root.Verify Fix Applied:
Verify the vulnerable endpoint no longer accepts arbitrary executable pathnames or has been properly secured.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to ajaxPages/writeBrowseFilePathAjax.php with suspicious parameters
- Unusual process execution from web server context
- System commands executed by www-data or similar web user
Network Indicators:
- POST requests to writeBrowseFilePathAjax.php with executable paths
- Outbound connections from VIAware server to suspicious IPs
SIEM Query:
source="web_server" AND uri="*writeBrowseFilePathAjax.php*" AND (param="*cmd*" OR param="*exec*" OR param="*system*")