"CyberGhost VPN Patches Command Injection Vulnerability"

CyberGhost VPN, a popular provider of Virtual Private Network (VPN) solutions, has patched a recently discovered command injection vulnerability that left Windows users' systems exposed to potential compromise. The difficulty with which the researcher who discovered the vulnerability disclosed it also adds intrigue to the bug's discovery. Ceri Coburn of the UK-based security research company Pen Test Partners found that the CyberGhost VPN client is vulnerable to an elevation of privilege flaw, stating the vulnerability affects roughly 3 million CyberGhost customers. The latest 8.3.10.10015 version of CyberGhost, released on February 24, 2023, addresses this issue. It is unknown if the patch was pushed to endpoints operating previous versions of the software or if customers must manually update instances of the software. According to Coburn, a specially crafted JSON payload sent to the CyberGhost Remote Procedure Call (RPC) service can lead to command line injection when the OpenVPN process is launched, resulting in full system compromise. This article continues to discuss the command injection vulnerability patched by CyberGhost VPN. 

SC Magazine reports "CyberGhost VPN Patches Command Injection Vulnerability"