CVE-2024-22076: 
MyQ vulnerability analysis and mitigation

CVE-2024-22076 affects MyQ Print Server versions before 8.2 patch 43, discovered in January 2024. The vulnerability allows remote authenticated administrators to execute arbitrary code via PHP scripts through the administrative interface (NVD, Access42).

The vulnerability exists in the Job Parser functionality of MyQ Print Server when enabled with administrative credentials. It allows the execution of PHP code with NT Authority/SYSTEM privileges, which is the highest level of privilege on a Windows system. The vulnerability received a CVSS v3.1 Base Score of 9.8 (CRITICAL) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (NVD, Access42).

The vulnerability allows attackers with administrative access to execute arbitrary code with SYSTEM-level privileges, potentially leading to complete system compromise. This level of access grants unfettered control over the entire operating system, including the ability to manipulate files and access sensitive data (Access42).

The vulnerability was patched in MyQ Print Server 8.2 patch 43, released on January 22, 2024. The fix includes an option in Easy Config to lock/unlock Queue's Scripting (PHP) settings for changes, allowing these settings to be kept in read-only mode. By default, this option is disabled (MyQ Release Notes).

The vendor, MyQ, was noted to have handled the responsible disclosure process adequately with clear and transparent communication throughout. The vulnerability was initially disclosed to the vendor on November 23, 2023, and they responded promptly with confirmation of an upcoming patch (Access42).