October 6, 2014
The reported vulnerability is a local file inclusion vulnerability affecting the webmail feature of the Kerio Connect product. Exploitation of this vulnerability can lead to arbitrary code execution with SYSTEM privileges on the Windows hosting server. The vulnerability can be triggered through the legacy user interface which cannot be disabled. Access to this interface requires a valid standard e-mail account.
Reported by Géraud De Drouas from French Network and Information Security Agency (ANSSI).
Arbitrary code execution with SYSTEM privileges.
CVSS Base Score: 9
Impact Subscore: 10
Exploitability Subscore :8
Overall CVSS Score: 7
CVSS v2 Vector (AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C)
Kerio MailServer 6.3.0 - 6.7.3
Kerio Connect 7.0.0 - 8.3.2
Improper control of filename for include/require statement (CWE-98).