Security News > 2021 > March > Popular Netop Remote Learning Software Found Vulnerable to Hacking
Cybersecurity researchers on Sunday disclosed multiple critical vulnerabilities in remote student monitoring software Netop Vision Pro that a malicious attacker could abuse to execute arbitrary code and take over Windows computers.
The vulnerabilities, tracked as CVE-2021-27192, CVE-2021-27193, CVE-2021-27194, and CVE-2021-27195, were reported to Netop on December 11, 2020, after which the Denmark-based company fixed the issues in an update released on February 25.
Netop counts half of the Fortune 100 companies among its customers and connects more than 3 million teachers and students with its software.
Netop Vision Pro allows teachers to remotely perform tasks on students' computers, such as monitoring and managing their screens in real time, restricting access to a list of allowed Web sites, launching applications, and even redirecting students' attention when they are distracted.
While most of the vulnerabilities have been fixed, the fixes put in place by Netop still don't address the lack of network encryption, which is expected to be implemented in a future update.
"It doesn't matter where one of these student's PCs gets compromised, as a well-designed malware could lay dormant and scan each network the infected PC connects to until it finds other vulnerable instances of Netop Vision Pro to further propagate the infection."
News URL
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-03-25 | CVE-2021-27192 | Improper Privilege Management vulnerability in Netop Vision PRO Local privilege escalation vulnerability in Windows clients of Netop Vision Pro up to and including 9.7.1 allows a local user to gain administrator privileges whilst using the clients. | 7.8 |
| 2021-03-25 | CVE-2021-27193 | Incorrect Default Permissions vulnerability in Netop Vision PRO Incorrect default permissions vulnerability in the API of Netop Vision Pro up to and including 9.7.1 allows a remote unauthenticated attacker to read and write files on the remote machine with system privileges resulting in a privilege escalation. | 9.8 |
| 2021-03-25 | CVE-2021-27194 | Cleartext Transmission of Sensitive Information vulnerability in Netop Vision PRO Cleartext transmission of sensitive information in Netop Vision Pro up to and including 9.7.1 allows a remote unauthenticated attacker to gather credentials including Windows login usernames and passwords. | 8.8 |
| 2021-03-25 | CVE-2021-27195 | Incorrect Authorization vulnerability in Netop Vision PRO Improper Authorization vulnerability in Netop Vision Pro up to and including to 9.7.1 allows an attacker to replay network traffic. | 5.9 |