Improper neutralization of special elements used in a command ('command injection') in Visual Studio allows an authorized attacker to execute code over a network.
According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability? Successful exploitation of this vulnerability requires that the target system be set up in a specific manner and the attacker to have knowledge of that setup. According to the CVSS metric, user interaction is required (UI:R) and privileges required is Low (PR:L). What does that mean for this vulnerability? An authorized attacker with standard user privileges could place a malicious file in an online directory or in a local network location and then wait for the user to run the file. According to the CVSS metric, the attack vector is network (AV:N) and the user interaction is required (UI:R). What is the target context of the remote code execution? This attack requires a specially crafted file to be placed either in an online directory or in a local network location. When a victim runs this file, it loads the malicious DLL.
Nitesh Surana (@_niteshsurana) & Nelson William Gamazo Sanchez of Trend Micro Research with Trend Zero Day Initiative