CVE-2024-42366 describes a critical Remote Code Execution (RCE) vulnerability discovered in VRCX, an assistant application for VRChat. This flaw allows attackers to potentially execute arbitrary commands on vulnerable systems by exploiting a misconfigured CefSharp browser and cross-site scripting via overlay notifications. The vulnerability affects VRCX versions prior to 2024.03.23, and a patch is available in version 2023.12.24, alongside API-side blocking of older versions.
The impact of CVE-2024-42366 is severe. A successful exploit allows an attacker to achieve remote code execution on a user's machine running a vulnerable version of VRCX. This could lead to complete system compromise, including data theft, malware installation, and further lateral movement within the network. The combination of CefSharp's over-permissions and the ability to inject cross-site scripting payloads creates a potent attack vector. While the VRC team has implemented API-side blocking to prevent older versions from functioning, users who haven't updated are still at risk if they somehow manage to run the outdated application.
CVE-2024-42366 was publicly disclosed on August 8, 2024. The vulnerability's severity is classified as CRITICAL (CVSS 9.1). Public proof-of-concept exploits are not yet widely available, but the combination of over-permissions and XSS makes exploitation likely. It is not currently listed on CISA KEV, but its critical severity warrants monitoring. Active campaigns are not currently confirmed, but the ease of exploitation could lead to opportunistic attacks.
Users of VRCX who have not updated to version 2023.12.24 are at significant risk. This includes users who rely on older VRCX versions for specific VRChat functionalities or those who haven't applied updates due to compatibility concerns. Shared hosting environments where VRCX is installed could also expose multiple users to this vulnerability.
• windows / supply-chain:
Get-Process | Where-Object {$_.ProcessName -eq "VRCX"}• windows / supply-chain:
Get-ItemProperty -Path 'HKLM:\Software\VRCX' -Name Version• windows / supply-chain:
Get-WinEvent -LogName Application -FilterXPath "*[System[Provider[@Name='VRCX']]]" -MaxEvents 10disclosure
patch
漏洞利用状态
EPSS
2.68% (86% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2024-42366 is to immediately upgrade VRCX to version 2023.12.24 or later. The VRC team has also implemented API-side blocking to prevent older versions from connecting, which provides an additional layer of protection. If upgrading is temporarily impossible, consider isolating vulnerable systems from external networks to limit potential attack vectors. While a WAF or proxy cannot directly address this vulnerability, it can help mitigate the risk of cross-site scripting attacks. After upgrading, confirm the fix by verifying the VRCX version and attempting to access VRChat to ensure the API-side blocking is functioning as expected.
将 VRCX 更新到 2023.12.24 或更高版本。该更新修复了允许远程命令执行的跨站脚本和过度权限漏洞。如果您使用的是旧版本,则必须更新以继续使用 VRCX。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2024-42366 is a critical RCE vulnerability in VRCX, an assistant application for VRChat, allowing attackers to execute commands via a misconfigured CefSharp browser and XSS.
You are affected if you are using VRCX versions prior to 2023.12.24. Ensure you upgrade immediately to mitigate the risk.
Upgrade VRCX to version 2023.12.24 or later. Also, ensure the VRC API-side blocking is active to prevent older versions from connecting.
While active exploitation is not currently confirmed, the vulnerability's severity and ease of exploitation suggest it could become a target for opportunistic attacks.
Refer to the official VRChat security advisory for details and updates: [https://www.vrchat.com/security/](https://www.vrchat.com/security/)
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。