CVE-2024-36075
📋 TL;DR
This vulnerability allows remote code execution with administrator privileges on endpoints running CoSoSys Endpoint Protector or Unify agent. An attacker who can modify archives on the server can execute arbitrary code on connected endpoints. Organizations using these products through version 5.9.3 (Endpoint Protector) or 7.0.6 (Unify agent) are affected.
💻 Affected Systems
- CoSoSys Endpoint Protector
- CoSoSys Unify agent
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of all endpoints with administrator privileges, enabling data theft, ransomware deployment, and persistent backdoor installation.
Likely Case
Targeted attacks against specific endpoints to steal sensitive data or establish foothold for lateral movement within the network.
If Mitigated
Limited impact through network segmentation and strict access controls preventing server archive modification.
🎯 Exploit Status
Exploitation requires ability to modify archives on the server, suggesting some level of access or compromise is needed first.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Endpoint Protector 5.9.4+, Unify agent 7.0.7+
Vendor Advisory: https://helpcenter.netwrix.com/bundle/z-kb-articles-salesforce/page/kA0Qk0000001E5lKAE.html
Restart Required: Yes
Instructions:
1. Download latest version from vendor portal. 2. Backup current configuration. 3. Install update on server first. 4. Deploy updated agent to all endpoints. 5. Verify all endpoints are reporting correct version.
🔧 Temporary Workarounds
Restrict Server Access
allLimit access to the Endpoint Protector/Unify server to only authorized administrators.
Monitor Archive Changes
allImplement file integrity monitoring on server archive directories.
🧯 If You Can't Patch
- Segment the Endpoint Protector/Unify server network to limit lateral movement potential
- Implement strict access controls and monitoring for server administrative interfaces
🔍 How to Verify
Check if Vulnerable:
Check agent version in Endpoint Protector/Unify management console or run agent version check command on endpoints.Check Version:
On Windows: 'sc query EndpointProtectorAgent' or check installed programs. On Linux: 'rpm -qa | grep endpoint' or 'dpkg -l | grep endpoint'.Verify Fix Applied:
Confirm all endpoints report version 5.9.4+ (Endpoint Protector) or 7.0.7+ (Unify agent) in management console.📡 Detection & Monitoring
Log Indicators:
- Unexpected archive extraction events
- Unusual process execution from agent directories
- Failed agent update attempts
Network Indicators:
- Unusual outbound connections from endpoints following agent communication
- Anomalous traffic patterns to/from Endpoint Protector server
SIEM Query:
source="endpoint_protector" AND (event_type="archive_extract" OR process_execution="*agent*" AND parent_process!="expected_parent")