Cybersecurity specialists report the detection of two critical vulnerabilities in some versions of F-Secure Internet Gatekeeper. According to the report, the successful exploitation of these flaws would allow malicious hackers to inject code into the affected systems.

Below are brief descriptions of the reported flaws, in addition to their respective identification keys and scores assigned under the Common Vulnerability Scoring System (CVSS).

CVE-2021-33601: Improper validation of inputs in the web interface of the affected product allows malicious hackers to send specially crafted requests and execute arbitrary code on the target system.

The vulnerability received a CVSS score of 8.5/10 and its successful exploitation could result in the total compromise of the affected system.

CVE-2021-33600: On the other hand, a claim error in the web UI within the “usernameL parameter would allow remote threat actors to pass specially crafted entries to the vulnerable application, triggering a denial of service (DoS) condition.

This is a flaw of medium severity and received a CVSS score of 6.5/10.

According to the report, both flaws reside in F-Secure Internet Gatekeeper v5.

Although the vulnerabilities could be exploited by unauthenticated remote threat actors, cybersecurity experts have not detected active exploitation attempts or the existence of a malware variant associated with the exploitation of these flaws.

Updates are now available, so users of affected deployments are encouraged to upgrade as soon as possible.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.