Flexera FlexNet Publisher

Act Now9.8ICS-CERT ICSA-19-323-01Nov 19, 2019

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

FlexNet Publisher versions 2018 R3 and earlier contain two vulnerabilities: an input validation flaw (CWE-20) and a memory corruption issue (CWE-119). These could allow a remote, unauthenticated attacker to deny license acquisition for legal software use or execute remote code on the FlexNet Publisher server. No known public exploits are currently available, but the CVSS score of 9.8 reflects the critical severity.

What this means

What could happen

A remote attacker could execute arbitrary code on the FlexNet Publisher server or deny license validation for legal software use, potentially disrupting operations that depend on license verification for access or functionality.

Who's at risk

Organizations using FlexNet Publisher for software license management, particularly those in manufacturing, utilities, and other sectors where licensed software controls access to critical systems. This affects any workstations, servers, or control systems that rely on FlexNet Publisher for license validation.

How it could be exploited

An attacker on the network can send a specially crafted request to the FlexNet Publisher service (port 27000 or web interface) without authentication. The memory corruption flaw in the license validation logic allows the attacker to execute code with the privileges of the FlexNet Publisher service or bypass license checks entirely.

Prerequisites

Network access to FlexNet Publisher server (typically port 27000 or HTTP/HTTPS ports)
No authentication required

Remotely exploitableNo authentication requiredLow complexityMemory corruption vulnerability allows code executionHigh CVSS score (9.8)Affects license validation for critical software

Exploitability

Moderate exploit probability (EPSS 4.4%)

Affected products (1)

ProductAffected VersionsFix Status

FlexNet Publisher:≤ 2018 R32018 R4 or newer as soon as possible

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDRestrict network access to FlexNet Publisher ports (27000, HTTP/HTTPS) using firewall rules; allow only authorized workstations and systems

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade FlexNet Publisher to version 2018 R4 or newer as soon as possible

Long-term hardening

0/2

HARDENINGIsolate the FlexNet Publisher server from the business network and Internet using network segmentation or a DMZ

HARDENINGIf remote access to FlexNet Publisher is required, use a VPN with current security patches and strong authentication

CVEs (4)

CVE-2018-20031 CVE-2018-20032 CVE-2018-20033 CVE-2018-20034

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/b6be087b-ace7-4d20-9d88-aca487e41eac