Keypoints
- Bitdefender discovered malicious files on servers running the IRM Next Generation (IRMNg) online booking engine during an investigation.
- Five vulnerabilities were identified and assigned CVEs: three instances of hard‑coded credentials (CWE‑798) and two injection flaws (CWE‑89 SQL injection; CWE‑74 output injection).
- Affected components include RDPCore.dll, RDPWin.dll, RDPData.dll, RDPngFileUpload.dll, and /irmdata/api/ endpoints.
- Bitdefender attempted responsible disclosure multiple times (May–August 2023) but received no response from the vendor, prompting public release in September 2023.
- An up‑to‑date list of indicators of compromise is available to Bitdefender Advanced Threat Intelligence users; a whitepaper contains the current known IOCs.
MITRE Techniques
- No MITRE ATT&CK technique identifiers (Txxxx) are explicitly mentioned in the article.
Indicators of Compromise
- [File names] Affected and malicious components found on servers – RDPCore.dll, RDPWin.dll, and other infected files.
- [API endpoints] Vulnerable web API paths – /irmdata/api/ endpoints (hard‑coded credentials present).
- [DLLs / Functionality] Injection‑related components – RDPData.dll (SQL injection), RDPngFileUpload.dll (output/injection).
- [CVE identifiers] Tracked vulnerabilities for correlation – CVE-2023-39420, CVE-2023-39421, CVE-2023-39422, CVE-2023-39423, CVE-2023-39424 (useful for detection rules).
Bitdefender’s forensic analysis found that attackers leveraged multiple weaknesses in the IRM Next Generation booking engine to place malicious files on vendor servers and exfiltrate or access customer details. The core issues included hard‑coded credentials embedded in RDPCore.dll, RDPWin.dll and in /irmdata/api/ endpoints (CWE‑798), which provided straightforward account access, alongside injection vulnerabilities: an SQL injection in RDPData.dll (CWE‑89) and an output/injection flaw in RDPngFileUpload.dll (CWE‑74) that could be used to inject or manipulate downstream components.
During investigation (April–May 2023) Bitdefender enumerated affected binaries and server paths, captured evidence of compromise, and mapped the exploit surface to these specific modules and endpoints. The team assigned CVE identifiers for each flaw, documented exploitation artifacts, and attempted multiple responsible‑disclosure contacts with the vendor (May–August 2023). With no vendor response and active exploitation observed, Bitdefender published findings and made indicators available to Advanced Threat Intelligence users to support detection and remediation.
Remediation guidance focuses on replacing or patching the vulnerable binaries, removing hard‑coded credentials from code and configuration, applying parameterized queries or proper input sanitization to eliminate SQL and output injection paths, and performing host‑level cleanup of identified malicious files. Organizations running IRMNg should consult the whitepaper and Bitdefender ATI feeds for the complete IOC set and apply compensating controls (credential rotation, web application firewall rules, and network segmentation) while updates are deployed.