BizRobo! Deserialization Vulnerability Leading to Arbitrary Code Execution
Vulnerability
A deserialization vulnerability has been identified in BizRobo! RPA software, all versions, allowing for arbitrary code execution on the Management Console. This issue arises from the use of an outdated version of the XStream library, which is known to be vulnerable to untrusted data deserialization. The vulnerability can be exploited by sending a malicious serialized file to the Management Console, which then executes the embedded code.
Impact
Exploitation of this vulnerability allows for arbitrary code execution on the Management Console.
Reproduction
To reproduce this vulnerability, access the Management Console with a user account that has administrative privileges. Once logged in, upload a backup file that has been modified to include malicious Java code. When the backup is restored, the Management Console will execute the injected code, demonstrating the vulnerability.
Remediation
The vendor recommends applying the provided workaround. For more information, refer to the BizRobo! support period article.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.