Login Sign Up

CVE-2024-21805

7.8 HIGH

📋 TL;DR

This vulnerability allows authenticated Windows users on affected SKYSEA Client View systems to place arbitrary files in a specific folder. If a malicious DLL is placed there, it can be executed with SYSTEM privileges, leading to complete system compromise. Only users who can log into the Windows client are affected.

💻 Affected Systems

Products:
  • SKYSEA Client View
Versions: Ver.16.100 through Ver.19.1
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects Windows client installations; requires local user authentication.

📦 What is this software?

Skysea Client View by Skygroup

View all CVEs affecting Skysea Client View →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full SYSTEM privilege remote code execution leading to complete host takeover, lateral movement, and data exfiltration.

🟠

Likely Case

Privilege escalation from standard user to SYSTEM by authenticated attackers, enabling persistence and further exploitation.

🟢

If Mitigated

Limited to authenticated users only; proper access controls and patching prevent exploitation.

🌐 Internet-Facing: LOW - Requires local authentication to Windows client, not directly internet-exposed.
🏢 Internal Only: HIGH - Any authenticated internal user can exploit this for privilege escalation.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated access and knowledge of the specific vulnerable folder path.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Ver.19.2

Vendor Advisory: https://www.skyseaclientview.net/news/240307_01/

Restart Required: Yes

Instructions:

1. Download SKYSEA Client View Ver.19.2 from vendor portal. 2. Run installer with administrative privileges. 3. Restart system after installation completes.

🔧 Temporary Workarounds

Restrict folder permissions

windows

Modify ACLs on the vulnerable folder to prevent unauthorized file writes

icacls "C:\Path\To\Vulnerable\Folder" /deny Users:(OI)(CI)W

Remove vulnerable folder

windows

Delete or rename the specific vulnerable folder if not required for functionality

rmdir /s /q "C:\Path\To\Vulnerable\Folder"

🧯 If You Can't Patch

  • Implement strict least-privilege access controls for all user accounts
  • Monitor for suspicious file writes to the vulnerable folder path

🔍 How to Verify

Check if Vulnerable:

Check SKYSEA Client View version via Control Panel > Programs and Features, or run 'wmic product get name,version' and look for versions 16.100 through 19.1

Check Version:

wmic product where "name like '%SKYSEA Client View%'" get version

Verify Fix Applied:

Confirm version is 19.2 or higher using same method, and verify folder permissions are properly restricted

📡 Detection & Monitoring

Log Indicators:

  • File creation events in the vulnerable folder path
  • Process execution with SYSTEM privileges from unusual locations

Network Indicators:

  • Unusual outbound connections from SYSTEM processes

SIEM Query:

EventID=4663 AND ObjectName="*vulnerable\folder\path*" OR ProcessName="rundll32.exe" AND ParentProcess="explorer.exe"

📊 Metadata

CVE ID: CVE-2024-21805
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-284
Published: March 12, 2024
Last Updated: May 23, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-21805, you might also want to check these:

CVE-2021-34795 10.0

This critical vulnerability in Cisco Catalyst PON Series Switches ONT web management interface allow...

Same vulnerability type (CWE-284)
CVE-2021-40113 10.0

Multiple vulnerabilities in Cisco Catalyst PON Series Switches ONT web management interface allow un...

Same vulnerability type (CWE-284)
CVE-2026-21636 10.0

A critical vulnerability in Node.js v25's experimental permission model allows attacker-controlled i...

Same vulnerability type (CWE-284)