Threat Research

Set Sail: Remote Code Execution in SailPoint IQService via Default Encryption Key

Netspi
Set Sail: Remote Code Execution in SailPoint IQService via Default Encryption Key

NetSPI discovered a Remote Code Execution vulnerability in SailPoint’s IQService component due to default insecure configurations including a hard-coded encryption key and lack of authentication. An exploit was developed demonstrating unauthenticated command execution, leading SailPoint to enforce TLS and client authentication in updates. #SailPointIQService #RemoteCodeExecution #NetSPI

Keypoints

  • SailPoint IQService prior to May 2025 is vulnerable to unauthenticated Remote Code Execution (RCE) due to default insecure settings.
  • The IQService uses a hard-coded encryption key, lacks user authentication, and does not enable SSL/TLS by default.
  • NetSPI identified the vulnerability during an internal penetration test and analyzed the encrypted RPC communication via reverse engineering.
  • A crafted XML-RPC payload using the ScriptExecutor service was used to execute arbitrary system commands without authentication.
  • The vulnerability was confirmed by executing the “whoami” command as SYSTEM user remotely on the IQService server.
  • SailPoint responded by enforcing TLS communication, client authentication, and disabling script execution when TLS is not configured.
  • Remediation involves updating IQService, enforcing TLS and client authentication, restricting service access, and removing insecure default settings.

MITRE Techniques

  • [T1203] Exploitation for Client Execution – Exploited a configuration vulnerability in SailPoint IQService to execute arbitrary code via crafted RPC requests without authentication (“an attacker who knows the default encryption key can send a crafted request to the service to execute arbitrary code”).
  • [T1040] Network Sniffing – Analyzed network responses on TCP port 5050 to identify predictable encrypted sessions and reverse engineer the communication protocol (“Unknown Service Detection: Banner Retrieval on port 5050/tcp”).
  • [T1064] Scripting – Used crafted XML RPC payload embedding scripts to execute commands on the victim service (“created a functional runBeforeScript XML payload… confirmed unauthenticated remote code execution”).

Indicators of Compromise

  • [Port] SailPoint IQService default listening port – 5050/tcp, used for RPC communication.
  • [File Name] IQService DLL containing default encryption key and service executables – IQService.exe, RPCServer.dll.
  • [Domain/Repository] Proof of Concept exploit code repository – https://github.com/NetSPI/set_sail

Read more: https://www.netspi.com/blog/technical-blog/network-pentesting/remote-code-execution-sailpoint-iqservice/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint