A newly detected Netwrix Auditor flaw allows hackers to launch RCE

July 20, 2022
Netwrix Auditor Flaw Vulnerability Software Abuse Hackers RCE Remote Code Execution

Researchers have revealed new details regarding a newly discovered security flaw in the Netwrix Auditor application, which allows threat actors to compromise the Active Directory Domain. If an attacker successfully exploits the Netwrix vulnerabilities, it could result in arbitrary code execution on the impacted device.

Based on a report, the service in the Netwrix Auditor is commonly initiated with extensive privileges in an Active Directory landscape. Therefore, a malicious threat actor would likely be able to impact the Active Directory domain.

Netwrix Auditor is an auditing and visibility platform that allows organisations to obtain a consolidated view of their information technology landscape, such as Exchange, file servers, SharePoint, Active Directory, VMware, and other systems, all in a single console.


Over 10,000 Netwrix customers may be prone to cyberattacks in the following days via the recently discovered vulnerability.


The company claims to have nearly 12,000 users across more than a hundred countries. The most notable customers of this software are the King’s College Hospital, Credissimo, Virgin, and Airbus, among others.

The recently disclosed vulnerability, which affected all supported versions before 10.5, has been identified as insecure object deserialisation. This deserialisation happens when unreliable user-controllable data is analysed to inflict remote code execution (RCE) attacks.

The primary cause of this new vulnerability is a poorly secured [.]NET remoting service accessible on TCP port 9004 on the server of Netwrix. Subsequently, it can enable a threat actor to initiate arbitrary commands on the server.

Since the command was operated by the threat actors with NT AUTHORITY\SYSTEM privileges, a malicious entity can exploit this issue and allow a threat actor to take over the Netwrix server.

As of now, cybersecurity experts explained that organisations that rely on Netwrix Auditor are suggested to update the software to its latest version. The most recent version of Netwrix is version 10.5, released by the company last month.

Securities from every organisation are suggested to follow these recommendations to mitigate potential risks.

About the author

Leave a Reply