Cybersecurity specialists reported the finding of three vulnerabilities affecting SAP 3D Visual Enterprise Viewer, a desktop application used to manage 2D, 3D, animation, video and audio assets. According to the report, successful exploitation of these flaws would allow threat actors deploying multiple attack variants.

Below is a brief description of the reported flaws, as well as their respective tracking keys and scoring according to the Common Vulnerability Scoring System (CVSS).

CVE-2021-42069: A boundary error within the parsing of JT files would allow remote malicious hackers to send target users a specially crafted file, which will trigger an out of bonds reading condition and can even allow running arbitrary code to the target system.

This is a high severity flaw and its exploitation would allow fully compromising affected systems. The flaw received a CVSS score of 7.7/10.

CVE-2021-42068: The insufficient validation of user-supplied input would allow remote attackers to trick victims into opening a specially crafted GIF file and perform a denial of service (DoS) attack.

The vulnerability received a CVSS score of 3.8/10.

CVE-2021-42070: The insufficient validation of user-supplied inputs would allow remote hackers to send specially crafted Jupiter Tessellation (.jt) files, thus performing a DoS attack.

This is a low severity vulnerability and received a CVSS score of 3.8/10.

According to the report, these flaws reside in all SAP 3D Visual Enterprise Viewer versions before v9.

The flaws can be exploited by remote non-authenticated threat actors through the Internet but at the time of writing there were no active exploitation attempts detected. Still, cybersecurity specialists recommend installing the official security patches as soon as possible.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.