Products
Pricing
Company
Resources
Support

Start free trial

Start your Digital Employee Experience journey with ControlUp

Learn more

VIRTUAL DESKTOPS

Real-time monitoring, troubleshooting, and remediation

VDI & DaaS Monitoring VDI & DaaS Availability Testing

PHYSICAL DESKTOPS

Local and remote physical endpoint devices and apps monitoring

Physical Endpoint Monitoring SaaS & Web Apps Availability Testing Unified Communications

SECURE DESKTOPS

Vulnerability and patch management for desktop security

Endpoint Security

TECHNOLOGY PARTNERS

Platform integrations for ControlUp monitoring solutions

Microsoft integrations

Citrix Virtual
Apps & Desktops

VMware Horizon

ServiceNow integration

ControlUp Blog

Explore expert insights, tips, and best practices to optimize your IT operations

Read now

Media & Events

Blog Case Studies eBooks Events

Learn

Webinars Podcasts ControlUp Community

Tools

Script Library App Profiler IGEL Integration Pack Incident Savings Calculator EUC MTTR Savings Calculator

4.9

47 Reviews

Company

About Us Newsroom Careers Contact Us Security & Compliance

Partners

Partner Portal Become a Reseller Find a Reseller Technology Alliance Partners

Join now

Issues

Support center Status Page Ask us anything

Software

Download center Release notes

Education

Knowledge center ControlUp Academy ControlUp Community

PRODUCTS

PRICING

RESOURCES

COMPANY

SUPPORT

Request a demo

Security Advisory – CVE-2022-27905

This document addresses Privilege Escalation vulnerability (CVE-2022-27905) in the Controlup Real-Time Agent.

Vulnerability ID: CVE-2022-27905
Severity: Medium
Update Release Date: February 17, 2022
Fix version: Version >= 8.6 for both Hybrid Cloud and COP (On-Premises)

What was the problem?

A local privilege escalation may be possible due to an insecure call to the CreateProcessAsUserA (Unquoted path) WinAPI function while the ControlUp Real-Time Agent is running.
The prerequisites for exploiting this vulnerability are very uncommon and include write access to C:\ by a low-privilege user and the ability to restart the cuAgent service.

Solution

We advise you to do the following:

Upgrade to the latest 8.6 version of ControlUp (Hybrid Cloud and On-Premises).
Deploy the latest ControlUp Real-Time Agent to all endpoints.

It is important to update/uninstall all ControlUp Real-Time Agents even if they are no longer in use. You can watch this 2-minute video to learn how to easily find machines with older ControlUp Real-Time Agent versions.

Upgrade Guides:

Upgrade Guide for Hybrid Cloud 8.x to 8.6
On-Premises Upgrade Guide 8.x to 8.6
Please read more about the new features and security enhancements in our Security Best Practices Guide.

PRODUCTS

VIRTUAL DESKTOPS
- VDI & DaaS Monitoring
- VDI & DaaS Availability Testing
PHYSICAL DESKTOPS
SECURE DESKTOPS
- Endpoint Security

TECHNOLOGY PARTNERS

Citrix Virtual Apps and Desktops
VMware Horizon
Microsoft integrations
ServiceNow Integration

RESOURCES

Blog
Case Studies
eBooks
Events
Webinars
Podcasts
Script Library
App Profiler
IGEL Integration Pack
Incident Savings Calculator
EUC MTTR Savings Calculator

SUPPORT

Submit a ticket
Status page
Download Center
Release notes
Knowledge Center
ControlUp Community

PARTNERS

Partner portal
Become a Reseller
Find a Reseller

COMPANY

About Us
Newsroom
Careers
Contact Us
Security & Compliance

GET STARTED

Get a quote
Download free trial
Request demo
Test Drive ControlUp

4.9

47 Reviews

Manage Cookie Consent

We use technologies like cookies to store and/or access device information. We do this to improve browsing experience and to show (non-) personalized ads. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.

Functional Functional Always active

The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.

Preferences Preferences

The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.

Statistics Statistics

The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.

Marketing Marketing

The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.

View preferences

{title} {title} {title}