Zurich Instruments LabOne Q Arbitrary Code Execution Vulnerability via Unsafe Deserialization
Vulnerability
A vulnerability allowing arbitrary code execution has been identified in the Zurich Instruments LabOne Q serialization framework. This issue arises from an unsafe deserialization process that accepts arbitrary fully-qualified class names from serialized data without proper validation or restrictions. An attacker can exploit this by crafting a malicious experiment file that, when loaded by a user, executes code with the user's privileges. The vulnerability affects LabOne Q versions 2.41.0 prior to 26.1.2, as well as pre-releases 26.4.0b1 through 26.4.0b5. Exploitation requires the victim to deserialize a compromised file, such as one shared for collaboration or support.
Impact
Successful exploitation allows for arbitrary code execution in the context of the user running the Python process.
Remediation
Users are advised to update LabOne Q to version 26.1.2 or 26.4.0 and later. The update can be performed via pip. For those who must remain on an earlier version for compatibility, contact Zurich Instruments.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.