CVE-2021-44041
📋 TL;DR
This vulnerability in UiPath Assistant allows attackers to execute arbitrary code or capture NTLM credentials by tricking users into clicking malicious links. It affects users of UiPath Assistant version 21.4.4 who interact with specially crafted uipath-assistant:// URIs.
💻 Affected Systems
- UiPath Assistant
📦 What is this software?
Assistant by Uipath
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise via remote code execution, credential theft, and lateral movement within the network.
Likely Case
Malware installation, data theft, or credential harvesting through social engineering attacks.
If Mitigated
Limited impact with proper network segmentation, application control policies, and user awareness training.
🎯 Exploit Status
Exploitation requires social engineering but is technically simple once user clicks malicious URI.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 21.10.4 and later
Vendor Advisory: https://docs.uipath.com/robot/docs/release-notes-2021-10-4
Restart Required: Yes
Instructions:
1. Download UiPath Assistant 21.10.4 or later from official sources. 2. Uninstall current version. 3. Install updated version. 4. Restart system.
🔧 Temporary Workarounds
Disable URI Handler
windowsRemove or modify the uipath-assistant:// URI handler registration to prevent exploitation via malicious links.
reg delete "HKCU\Software\Classes\uipath-assistant" /f
reg delete "HKLM\Software\Classes\uipath-assistant" /f
Block WebDAV and SMB Outbound
windowsPrevent credential capture by blocking outbound connections to WebDAV and SMB shares from workstations.
netsh advfirewall firewall add rule name="Block WebDAV Outbound" dir=out action=block protocol=TCP remoteport=80,443,445
🧯 If You Can't Patch
- Implement application control policies to block execution of unauthorized binaries.
- Deploy network segmentation to isolate UiPath systems and block outbound SMB/WebDAV from workstations.
🔍 How to Verify
Check if Vulnerable:
Check UiPath Assistant version in Help > About. If version is 21.4.4, system is vulnerable.Check Version:
"C:\Program Files\UiPath\Studio\UiPath.Assistant.exe" --versionVerify Fix Applied:
Verify version is 21.10.4 or later in Help > About. Test that uipath-assistant:// URIs no longer execute arbitrary file paths.📡 Detection & Monitoring
Log Indicators:
- Process creation events for UiPath.Assistant.exe with --dev-widget arguments containing network paths
- Windows Event Logs showing SMB or WebDAV authentication attempts from UiPath processes
Network Indicators:
- Outbound SMB (port 445) or WebDAV (port 80/443) connections from workstations following UiPath process execution
- DNS queries for suspicious domains in conjunction with UiPath process activity
SIEM Query:
process_name="UiPath.Assistant.exe" AND command_line="*--dev-widget*"