Login Sign Up

CVE-2023-31068

9.8 CRITICAL

📋 TL;DR

This vulnerability in TSplus Remote Access allows attackers to modify theme directories with 'Everyone' Full Control permissions, potentially enabling arbitrary code execution. It affects TSplus Remote Access installations up to version 16.0.2.14 on Windows systems. Attackers could exploit this to gain unauthorized access or escalate privileges.

💻 Affected Systems

Products:
  • TSplus Remote Access
Versions: Through 16.0.2.14
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Affects default installations where theme directories inherit insecure permissions.

📦 What is this software?

Tsplus Remote Work by Tsplus

View all CVEs affecting Tsplus Remote Work →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise through arbitrary code execution, leading to data theft, ransomware deployment, or complete control of affected systems.

🟠

Likely Case

Privilege escalation allowing attackers to execute malicious code with system-level permissions, potentially compromising the entire TSplus environment.

🟢

If Mitigated

Limited impact with proper access controls and monitoring, potentially only allowing file modification without code execution.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires initial access but then allows easy privilege escalation through directory manipulation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 16.0.2.15 or later

Vendor Advisory: https://www.tsplus.net/support/security-advisories/

Restart Required: Yes

Instructions:

1. Download latest version from TSplus website. 2. Run installer as administrator. 3. Follow upgrade prompts. 4. Restart TSplus services.

🔧 Temporary Workarounds

Restrict Theme Directory Permissions

windows

Manually adjust NTFS permissions to remove 'Everyone' Full Control from vulnerable directories.

icacls "%PROGRAMFILES(X86)%\TSplus\UserDesktop\themes" /remove Everyone /T

🧯 If You Can't Patch

  • Apply strict access controls to TSplus directories, removing 'Everyone' permissions and limiting to authorized users only.
  • Implement application whitelisting to prevent execution of unauthorized binaries from theme directories.

🔍 How to Verify

Check if Vulnerable:

Check permissions on %PROGRAMFILES(X86)%\TSplus\UserDesktop\themes\* directories using 'icacls' command and look for 'Everyone:(F)' entries.

Check Version:

Check TSplus Admin Tool → About or examine registry at HKEY_LOCAL_MACHINE\SOFTWARE\TSplus\Version

Verify Fix Applied:

Verify 'Everyone' group no longer has Full Control permissions on theme directories and TSplus version is 16.0.2.15 or higher.

📡 Detection & Monitoring

Log Indicators:

  • Windows Security Event ID 4663 (file system access) showing unauthorized access to theme directories
  • TSplus application logs showing unexpected theme modifications

Network Indicators:

  • Unusual RDP connections to TSplus servers
  • Unexpected file transfers to/from TSplus servers

SIEM Query:

source="windows" EventID=4663 AND ObjectName="*TSplus*UserDesktop*themes*" AND AccessMask="0x1F01FF"

📊 Metadata

CVE ID: CVE-2023-31068
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-276
Published: September 11, 2023
Last Updated: March 3, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-31068, you might also want to check these:

CVE-2025-40585 9.9

Energy Services solutions using G5DFR contain default credentials, allowing attackers to gain contro...

Same vulnerability type (CWE-276)
CVE-2023-47462 9.8

This vulnerability allows remote attackers to execute arbitrary code on GL.iNet AX1800 routers by ex...

Same vulnerability type (CWE-276)
CVE-2022-41572 9.8

CVE-2022-41572 is a privilege escalation vulnerability in EyesOfNetwork (EON) where nmap can be exec...

Same vulnerability type (CWE-276)