Security Advisory

Generex RCCMDTray Remote OS Command Execution

The RCCMDTray tool allows unauthenticated remote execution of arbitrary OS commands.

Advisory ID: MLSA-2025-002
CVE: none
CVSS: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Severity: high
Affected versions: RCCMD version 4.65.12 250210 / UPSMAN version 6.35 250319 / RCCMD-Tray Version 1.0.1.2 (older versions are also affected)
Fixed versions: RCCMD version 4.68 250623 / UPSMAN version 6.35 250708
Discovered by: Hans-Martin Münch

Product description

RCCMD (Remote Control Command) is used all over the world, wherever a flexible software solution is required for an emergency shutdown. RCCMD runs independently of the platform and can connect physical machines with fully virtualized environments to ensure a structured shutdown.

UPSMAN is the ultimate UPS shutdown management control software for your server The UPSMan software is used on computers in the UPS-related sector that are directly connected to the UPS via USB or a serial network port.

Details

The Windows installation of RCCMD / UPSMAN includes a utility called RCCMDTray, which is executed when a user logs in. Its purpose is to receive messages from the RCCMD service and display them to the currently logged-in user.

When active, RCCMDTray opens a TCP service on port 641, which listens for incoming messages. This service is not restricted to localhost and is accessible over the network.

The protocol used by the service is very simple and lacks any form of authentication. Critically, it allows the execution of arbitrary OS commands in the context of the currently logged-in user.

The following Proof of Concept (PoC) payload demonstrates remote command execution by launching the Windows Calculator (‘calc.exe’). It uses the Unix command-line tool netcat (nc) to deliver the payload:

echo 'RCCMD|10|"calc.exe"|' | nc TARGET_IP 961

Important notes:
This vulnerability can only be exploited when a user is actively logged into the system. If no user is logged in, RCCMDTray is not running, and the network service is not exposed.

The installation routine for RCCMD / UPSMAN adds a rule to the local firewall ruleset, thus the service can be exposed, even when a local firewall is deployed.

Workarounds

  • Block remote access to the service through the local firewall
  • Remove RCCMDTray from the Windows Autostart (HKLM registry key)

Coordinated Disclosure Timeline

  • 12/05/2025 Sending the vulnerability report to the Generex security team
  • 19/05/2025 Response from Generex, confirming the vulnerability
  • 09/07/2025 Response from Generex, said they restricted access to localhost in the latest version of RCCMD, but not yet in UPSMAN
  • 25/07/2025 Generex releases new version fo UPSMAN
  • 04/08/2025 MOGWAI LABS noticed that a new version of UPSMAN is released, public release of the Advisory