Researchers at SentinelOne published details on a couple of critical RCE vulnerabilities discovered in Microsoft Defender for IoT, tracked as CVE-2021-42311 and CVE-2021-42313, with CVSS score of 10 related to a SQL injection attack.
Defender for IoT supports various IoT, OT, and ICSq devices, and can be deployed both on-premises and in the cloud.
The vulnerability, identified in the token validation process, CVE-2021-42313 exists because the UUID parameter isn’t sanitized and allowed them to insert, update, and execute SQL special commands. They came up with PoC code that exploits the bug to extract a logged-in user session ID from the database, which leads to complete account takeover.
These vulnerabilities are reported to Microsoft in June 2021 and fixed during December 2021 Patch Tuesday cycle