Claroty Team82 reveals critical RCE vulnerability in IDIS Cloud Manager Viewer tied to spear-phishing risk
Publish Date: 2026-01-28 03:38:00
Source Domain: industrialcyber.co
Using an unordered list, summarize the following article with between 4 and 8 key points.
New research from Claroty’s Team82 unit uncovered a new vulnerability in the IDIS Cloud Manager (ICM) viewer, where an attacker could develop an exploit whereby if a user clicks on an untrusted link, the attack would execute on the machine hosting the ICM Viewer. IDIS has called upon users who continue to use the ICM Viewer to upgrade devices to v1.7.1; failing which, they should uninstall it immediately. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued CVE-2025-12556 with a CVSS v4 score of 8.7.
“Clicking on untrusted links is widely recognized as a bad practice, and users are routinely educated to avoid doing so,” Vera Mens, security researcher at Claroty, wrote in a Tuesday blog post. “However, under normal circumstances, even if a victim is tricked into visiting an attacker-controlled website, the attacker is typically limited to executing JavaScript within the context of the victim’s browser, which is heavily sandboxed. This vulnerability, however, allows an attacker to escalate beyond the browser sandbox to achieve code execution on the host, introducing a significant security risk.”
She noted that this renders the vulnerability as a 1-click RCE vulnerability, introducing an interesting attack scenario in which a spear-phishing attack could easily be leveraged into a full compromise of the victim’s computer, giving attackers a leg-in to the victim’s network.
“If exploited, the vulnerability could allow an attacker to execute arbitrary code within the context of the host machine. IDIS ICM runs on a Windows machine connected to the cloud in order to view live video feeds, recordings, and search images,” according to Mens. “An attacker would be in control of the host machine and have the ability to execute code, or use that machine as a jumping off point for lateral movement to compromise other endpoints on the network, including other surveillance cameras.”
When WCMViewer[dot]exe is launched, it receives several arguments, including the URL, token, mode, and language. It appears that the URL and token are passed straight through from the message received over the WebSocket, without any additional processing.
Mens wrote “The question arises: Can we inject arguments of our own into the WCMViewer.exe?”
As WCMViewer[dot]exe is a Chromium-based application that uses the CEF library to embed a Chromium browser inside a native program, that design choice opens another line of inquiry about whether WCMViewer[dot]exe will accept additional Chromium command-line flags beyond those it is intended to use.
“Chromium command-line flags provide a powerful mechanism for altering browser behavior at runtime, allowing developers to tailor functionality without modifying the Chromium application; however, while most flags are benign, a subset can be abused to enable code execution,” Mens said. “One such flag is –utility-cmd-prefix, which is primarily intended for debugging purposes. For example, passing –utility-cmd-prefix=’strace’ to the Chromium command line causes the browser and its utility subprocesses to be wrapped with strace, enabling detailed runtime tracing.”
The next step is to test whether an argument can be injected into the command line executed by CWGService. To do this, an appropriately crafted message that includes an injected argument must be sent to CWGService. First, an encrypted ‘hello’ message, using the constant key, is sent to CWGService over the WebSocket. An acknowledgement is then received from CWGService, which does not need to be decrypted. Finally, the command message containing the injected argument is encrypted with the same constant key and sent to CWGService.
The post explained that IDIS’ cloud offering comprises the IDIS cloud platform, connected devices such as cameras and NVRs, and the ICM Viewer for desktop and mobile. The desktop IDIS Web Client is built from two separate components. The ICM Web Portal is a web-based interface that provides an assets dashboard where users can add and edit devices for cloud management.
Secondly, the ICM Viewer is a Windows-only application with two parts. WCMViewer[dot]exe is a Chromium-based interface that enables live monitoring, video search, and backups. All data shown to the client is delivered from the cloud, with access controlled through a JWT token issued by IDIS Cloud Manager when the user logs into the web portal.
CWGService[dot]exe, the ICM Viewer Launcher, runs as a Windows service listening on localhost:16140. It waits for a command to launch the ICM Viewer with the required arguments, including the JWT token and language settings. This launch command is triggered when the user clicks the ‘Run Viewer’ button in the web portal.
Couple of steps are executed when a user logs in to the web portal and runs the ICM Viewer. First, the user enters a username and password on the web portal. The browser then generates an RSA key pair and encrypts the username, password, and public RSA key using a constant key before sending the data to the server.
After successful authentication, the server responds with several items. It returns an AES key, encrypted with the RSA public key, which is used for subsequent communication. It also provides a JWT token, encrypted with that AES key, which is used for communication between the ICM Viewer and the cloud server. In addition, the server sends a seed key, also encrypted with the AES key and likely not used at this stage, along with encrypted information about the logged-in account.
She also recognized that “An attacker’s objective is to achieve code execution on the victim’s system. Because the CWGService listens only on the local interface, an attacker can leverage client-side execution by hosting a web page containing JavaScript that sends a crafted WebSocket message to localhost:16140. By tricking the victim into visiting this attacker-controlled page, the JavaScript executes in the victim’s browser context and delivers the malicious message to the local service, resulting in code execution on the victim host.”
“Clicking on untrusted links is widely recognized as a bad practice, and users are routinely educated to avoid doing so,” Mens noted. “However, under normal circumstances, even if a victim is tricked into visiting an attacker-controlled website, the attacker is typically limited to executing JavaScript within the context of the victim’s browser, which is heavily sandboxed.”
She added that, in contrast, this vulnerability allows an attacker to escalate beyond the browser sandbox and achieve code execution on the host itself, introducing a significant security risk.
In conclusion, Mens mentioned that the introduction of a new architecture or feature requires that every step within the chain be thoroughly checked. She said the research and exploit were possible because of several flaws. The CWSService does not validate the origin due to a missing CORS policy, making it possible to communicate with the WebSocket from outside the idisglobal.com domain. Although the messages are encrypted, the encryption uses a constant key, allowing an attacker to communicate with the socket easily.
Furthermore, the CWGService does not sanitize the arguments it receives. The WCMViewer also fails to validate whether the passed arguments are legitimate before forwarding them to the CEF component.
“Attackers will always look for attack surfaces introduced by new design changes in a product,” Mens wrote. “We encourage the researchers to look for those exposures as well and disclose the vulnerabilities as soon as they are found. We encourage the users to be in the know of what devices they own, and patch them as soon as possible.”
Last week, Claroty secured US$150 million in Series F funding led by Golub Growth, an affiliate of Golub Capital, with additional confirmed participation from existing investors up to $50 million. This new investment will fuel global expansion through both organic and inorganic growth, as the company continues to pursue an aggressive vision for building the industry’s most comprehensive CPS protection platform.
Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.
