Zero day Remote code execution vulnerability in PowerISO

Cybersecurity specialists report the discovery of a critical zero-day vulnerability in PowerISO, an application used to create, mount and emulate, compress or encrypt virtual CD and DVD images, developed by the Chinese company Power Software Ltd. According to the report, successful exploitation of this flaw would allow threat actors to trigger an out of bonds writing conditions.

Tracked as CVE-2021-21871, this flaw exists due to a limit error during input processing when processing untrusted input in the DMG File Format Handler functionality. Remote hackers can create a specially crafted DMG file, enable out of bounds writing and execute arbitrary code on the target system.

The vulnerability received a score of 8.1/10 on the Common Vulnerability Scoring System (CVSS) scale and its exploitation would allow threat actors to compromise the target system completely. According to the report, the fault lies in PowerISO v7.9.

The vulnerability can be exploited remotely by unauthenticated threat actors, although no exploit attempts have been detected in real-world scenarios. However, the flaw has not been corrected, so administrators of affected deployments are required to stay abreast of any announcements related to the correction of these flaws.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.