EfficientLab WorkExaminer Professional FTP Server Vulnerability Allowing Unauthorized Access and Remote Code Execution

A vulnerability exists in EfficientLab WorkExaminer Professional server installations through version 4.0.0.52001. The FTP server, active on TCP port 12304, can be accessed by an attacker with network reach to that port using weak hardcoded credentials. This access allows the attacker to read or modify data and log files. Furthermore, it enables remote code execution on the server as NT Authority\SYSTEM by replacing service binaries in the WorkExaminer installation directory.

Impact

Exploitation of this vulnerability leads to unauthorized access to the FTP server, allowing for data manipulation and log file access. More critically, it facilitates remote code execution on the server with SYSTEM privileges.

Reproduction

To reproduce this vulnerability, an attacker must have network access to the WorkExaminer server's FTP port (12304). Using the hardcoded FTP credentials, the attacker can log into the FTP server, access sensitive data, and overwrite WorkExaminer service binaries to execute arbitrary code on the server as NT Authority\SYSTEM.