CVE-2024-42366 describes a critical Remote Code Execution (RCE) vulnerability discovered in VRCX, an assistant application for VRChat. This flaw allows attackers to potentially execute arbitrary commands on vulnerable systems by exploiting a misconfigured CefSharp browser and cross-site scripting via overlay notifications. The vulnerability affects VRCX versions prior to 2024.03.23, and a patch is available in version 2023.12.24, alongside API-side blocking of older versions.
The impact of CVE-2024-42366 is severe. A successful exploit allows an attacker to achieve remote code execution on a user's machine running a vulnerable version of VRCX. This could lead to complete system compromise, including data theft, malware installation, and further lateral movement within the network. The combination of CefSharp's over-permissions and the ability to inject cross-site scripting payloads creates a potent attack vector. While the VRC team has implemented API-side blocking to prevent older versions from functioning, users who haven't updated are still at risk if they somehow manage to run the outdated application.
CVE-2024-42366 was publicly disclosed on August 8, 2024. The vulnerability's severity is classified as CRITICAL (CVSS 9.1). Public proof-of-concept exploits are not yet widely available, but the combination of over-permissions and XSS makes exploitation likely. It is not currently listed on CISA KEV, but its critical severity warrants monitoring. Active campaigns are not currently confirmed, but the ease of exploitation could lead to opportunistic attacks.
Users of VRCX who have not updated to version 2023.12.24 are at significant risk. This includes users who rely on older VRCX versions for specific VRChat functionalities or those who haven't applied updates due to compatibility concerns. Shared hosting environments where VRCX is installed could also expose multiple users to this vulnerability.
• windows / supply-chain:
Get-Process | Where-Object {$_.ProcessName -eq "VRCX"}• windows / supply-chain:
Get-ItemProperty -Path 'HKLM:\Software\VRCX' -Name Version• windows / supply-chain:
Get-WinEvent -LogName Application -FilterXPath "*[System[Provider[@Name='VRCX']]]" -MaxEvents 10disclosure
patch
エクスプロイト状況
EPSS
2.68% (86% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2024-42366 is to immediately upgrade VRCX to version 2023.12.24 or later. The VRC team has also implemented API-side blocking to prevent older versions from connecting, which provides an additional layer of protection. If upgrading is temporarily impossible, consider isolating vulnerable systems from external networks to limit potential attack vectors. While a WAF or proxy cannot directly address this vulnerability, it can help mitigate the risk of cross-site scripting attacks. After upgrading, confirm the fix by verifying the VRCX version and attempting to access VRChat to ensure the API-side blocking is functioning as expected.
VRCXを2023.12.24以降のバージョンにアップデートしてください。アップデートは、リモートコマンド実行を可能にするクロスサイトスクリプティングと過剰な権限の脆弱性を修正します。以前のバージョンを使用している場合は、VRCXの使用を継続するためにアップデートする必要があります。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2024-42366 is a critical RCE vulnerability in VRCX, an assistant application for VRChat, allowing attackers to execute commands via a misconfigured CefSharp browser and XSS.
You are affected if you are using VRCX versions prior to 2023.12.24. Ensure you upgrade immediately to mitigate the risk.
Upgrade VRCX to version 2023.12.24 or later. Also, ensure the VRC API-side blocking is active to prevent older versions from connecting.
While active exploitation is not currently confirmed, the vulnerability's severity and ease of exploitation suggest it could become a target for opportunistic attacks.
Refer to the official VRChat security advisory for details and updates: [https://www.vrchat.com/security/](https://www.vrchat.com/security/)
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。