CVE-2014-1861 Affected versions: 4.3.3 4.3.1 and probably prior versions. Jetro Cockpit Secure Browsing makes use of a client running on a user's workstation in the enterprise's internal network, and a server in the DMZ that connects on the client's behalf to the internet. Attack scenario: User causes server to be compromised by an unpatched or 0-day vulnerability. For example, a browser exploit, or a PDF viewer exploit. The product should provide network separation and sand-box such an attack. However the vulnerability found allows a compromised server to execute code on the client machine using the printing mechanism. Specifically: - If an attacker gains user-level RCE on the server, the found issue will allow RCE on the same user's workstation in the internal network. - If an attacker gains elevated privileged RCE on the server (using a PE vulnerability), the found issue will allow RCE on any user's workstation in the internal network. The client does not validate input coming from the server as a result of a print-to-pdf event. The server can send an .EXE file instead of the expected .PDF file and the client will execute the file upon receiving it. Full disclosure, demo and details here: http://blog.quaji.com/2014/02/remote-code-execution-on-all-enterprise.html Ronen Zilberman