CVE-2024-7565
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code on SMARTBEAR SoapUI installations through directory traversal in the unpackageAll function. Attackers can exploit this by tricking users into visiting malicious web pages or opening malicious files. The vulnerability affects users who process untrusted content with vulnerable SoapUI versions.
💻 Affected Systems
- SMARTBEAR SoapUI
📦 What is this software?
Soapui by Smartbear
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining the same privileges as the current user, potentially leading to data theft, lateral movement, or ransomware deployment.
Likely Case
Local file system access and arbitrary code execution within the user's context, enabling data exfiltration or installation of persistent malware.
If Mitigated
Limited impact if proper application sandboxing and user privilege restrictions are in place, though some data exposure may still occur.
🎯 Exploit Status
Exploitation requires user interaction (opening malicious file or visiting malicious page). The vulnerability is well-documented in ZDI advisory ZDI-24-1100.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check latest release notes at https://www.soapui.org/downloads/latest-release/release-notes/
Vendor Advisory: https://www.soapui.org/downloads/latest-release/release-notes/
Restart Required: Yes
Instructions:
1. Visit https://www.soapui.org/downloads/latest-release/ 2. Download and install the latest version 3. Restart SoapUI 4. Verify the update was successful
🔧 Temporary Workarounds
Restrict file processing
allOnly process XML/SOAP files from trusted sources and avoid opening files from unknown origins.
Run with limited privileges
allRun SoapUI with a non-administrative user account to limit potential damage from exploitation.
🧯 If You Can't Patch
- Implement application whitelisting to prevent execution of unauthorized binaries
- Deploy endpoint detection and response (EDR) solutions to monitor for suspicious file operations
🔍 How to Verify
Check if Vulnerable:
Check your SoapUI version against the latest release notes. If using a version prior to the fix mentioned in release notes, you are vulnerable.Check Version:
In SoapUI: Help → About SoapUIVerify Fix Applied:
Update to the latest version from the official SoapUI website and confirm the version number matches or exceeds the patched version.📡 Detection & Monitoring
Log Indicators:
- Unusual file operations outside expected directories
- Suspicious process creation from SoapUI
Network Indicators:
- Unexpected outbound connections from SoapUI process
SIEM Query:
Process creation where parent process contains 'soapui' and child process is suspicious or unexpected