Unpatched hole in FlexNet License Server Manager
The Zero Day Initiative (ZDI) has published an advisory about a critical hole in the FlexNet License Server Manager that attackers can use to gain control of a victim's system. The vulnerability is found in the lmadmin component; when attackers send a specially crafted TCP packet to port 27000, they can write data into the server's heap buffer, leading to the possible execution of malicious code.
The FlexNet License Server Manager is only intended for use in local networks and is normally not reachable via the internet. In January, Luigi Auriemma, who discovered the flaw, reported the vulnerability to Flexera, the company that makes the software – because the firm has yet to publish a patch, details of the vulnerability are now being made public in accordance with the ZDI 180 day deadline.