Home

Description

Remote Control Server, maintained by Steppschuh, 3.1.1.12 allows unauthenticated remote code execution when authentication is disabled, which is the default configuration. The server exposes a custom UDP-based control protocol that accepts remote keyboard input events without verification. An attacker on the same network can issue a sequence of keystroke commands to launch a system shell and execute arbitrary commands, resulting in full system compromise.

PUBLISHED Reserved 2025-07-22 | Published 2025-07-23 | Updated 2025-07-23 | Assigner VulnCheck




CRITICAL: 9.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-306 Missing Authentication for Critical Function

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Product status

Default status
unknown

3.1.1.12
affected

Credits

H4rk3nz0 finder

References

raw.githubusercontent.com/...emote_control_collection_rce.rb exploit

remote-control-collection.com/ product

www.vulncheck.com/...pschuh-remote-control-server-unauth-rce third-party-advisory

cve.org (CVE-2022-4978)

nvd.nist.gov (CVE-2022-4978)

Download JSON