Login Sign Up

CVE-2024-11581

7.8 HIGH
Remote Code Execution

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code on Luxion KeyShot installations by tricking users into opening malicious JT files. The flaw exists in JT file parsing where improper data validation enables out-of-bounds reads that can lead to remote code execution. Users of affected KeyShot versions who open untrusted JT files are at risk.

💻 Affected Systems

Products:
  • Luxion KeyShot
Versions: Versions prior to 2024.1
Operating Systems: Windows, macOS
Default Config Vulnerable: ⚠️ Yes
Notes: All default installations are vulnerable. User interaction required (opening malicious JT file).

📦 What is this software?

Keyshot by Luxion

View all CVEs affecting Keyshot →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining full control of the affected system, data theft, lateral movement, and persistence establishment.

🟠

Likely Case

Local privilege escalation leading to system compromise, data exfiltration, and potential ransomware deployment.

🟢

If Mitigated

Limited impact with proper application sandboxing and user privilege restrictions, potentially only causing application crashes.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires user interaction but weaponization is likely given the RCE potential. ZDI has confirmed the vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2024.1 and later

Vendor Advisory: https://download.keyshot.com/cert/ksa-655925/ksa-655925.pdf

Restart Required: Yes

Instructions:

1. Download KeyShot 2024.1 or later from official Luxion website
2. Run the installer and follow upgrade prompts
3. Restart the system after installation completes

🔧 Temporary Workarounds

Restrict JT file handling

all

Block or restrict opening of JT files through application policies or file association changes

Application sandboxing

all

Run KeyShot in restricted/sandboxed environment to limit potential damage

🧯 If You Can't Patch

  • Implement strict file handling policies to prevent opening untrusted JT files
  • Run KeyShot with minimal user privileges and in isolated environments

🔍 How to Verify

Check if Vulnerable:

Check KeyShot version in Help > About menu. Versions before 2024.1 are vulnerable.

Check Version:

On Windows: Check registry at HKEY_LOCAL_MACHINE\SOFTWARE\Luxion\KeyShot\Version or check About dialog

Verify Fix Applied:

Verify version is 2024.1 or later in Help > About menu and test opening known safe JT files.

📡 Detection & Monitoring

Log Indicators:

  • Application crashes when opening JT files
  • Unusual process spawning from KeyShot
  • Memory access violation errors

Network Indicators:

  • Unexpected outbound connections from KeyShot process
  • Downloads of JT files from untrusted sources

SIEM Query:

Process creation where parent process contains 'KeyShot' AND (command line contains '.jt' OR file path contains '.jt')

📊 Metadata

CVE ID: CVE-2024-11581
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-125
Published: November 22, 2024
Last Updated: December 20, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-11581, you might also want to check these:

CVE-2021-41556 10.0

CVE-2021-41556 is a critical out-of-bounds read vulnerability in Squirrel scripting language that al...

Same vulnerability type (CWE-125)
CVE-2024-22004 10.0

This vulnerability allows attackers with privileged access on Linux non-secure operating systems to ...

Same vulnerability type (CWE-125)
CVE-2021-21777 10.0

CVE-2021-21777 is a critical out-of-bounds read vulnerability in the Ethernet/IP UDP handler of OpEN...

Same vulnerability type (CWE-125)