Security News > 2023 > December > Microsoft discovers critical RCE flaw in Perforce Helix Core Server
Four vulnerabilities, one of which is rated critical, have been discovered in the Perforce Helix Core Server, a source code management platform widely used by the gaming, government, military, and technology sectors.
The four flaws discovered by Microsoft mainly involve denial of service issues, with the most severe allowing arbitrary remote code execution as LocalSystem by unauthenticated attackers.
The most dangerous flaw of the set, CVE-2023-45849, allows unauthenticated attackers to execute code from 'LocalSystem,' a high-privileged Windows OS account reserved for system functions.
In its default configuration, Perforce Server permits unauthenticated attackers to remotely execute arbitrary commands, including PowerShell scripts, as LocalSystem.
By leveraging CVE-2023-45849, attackers may install backdoors, access sensitive information, create or modify system settings, and potentially take complete control of the system running a vulnerable version of Perforce Server.
Hackers are exploiting critical Apache Struts flaw using public PoC. Sophos backports RCE fix after attacks on unsupported firewalls.
News URL
Related news
- Critical PHP RCE vulnerability mass exploited in new attacks (source)
- Critical RCE flaw in Apache Tomcat actively exploited in attacks (source)
- New Critical AMI BMC Vulnerability Enables Remote Server Takeover and Bricking (source)
- Critical AMI MegaRAC bug can let attackers hijack, brick servers (source)
- Critical Veeam Backup & Replication RCE vulnerability fixed, patch ASAP! (CVE-2025-23120) (source)
- Infoseccers criticize Veeam over critical RCE vulnerability and a failing blacklist (source)
- Veeam RCE bug lets domain users hack backup servers, patch now (source)
- Critical Ingress NGINX Controller Vulnerability Allows RCE Without Authentication (source)
- Hijacked Microsoft web domain injects spam into SharePoint servers (source)
- Microsoft fixes auth issues on Windows Server, Windows 11 24H2 (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-11-08 | CVE-2023-45849 | Code Injection vulnerability in Perforce Helix Core An arbitrary code execution which results in privilege escalation was discovered in Helix Core versions prior to 2023.2. | 9.8 |