Cobalt Strike software contains a critical remote code execution (RCE) vulnerability that might allow anyone to take over victim systems

A red-team architecture called Cobalt Strike is mostly used for simulating adversaries. 

The new vulnerability (tracked CVE-2022-42948) affects Cobalt Strike version 4.7.1 and results from an insufficient patch that HelpSystems provided on September 20, 2022, to address an XSS vulnerability that might allow RCE attacks (CVE-2022-39197).

The IBM alert states that the first of these three ways has not yet been properly fixed, despite the HelpSystems patch that was made available last month. The XSS security flaw could be exploited in one of three ways, according to a recent advisory from the IBM-sponsored Security Intelligence team: by changing client-side UI input fields, by mimicking a Cobalt Strike implant check-in, or by hooking a Cobalt Strike implant that is already active on a host.
Greg Darwin, software development manager at HelpSystems, addressed the new vulnerability in a blog post . Greg Darwin explained that RCE could be prompted in particular circumstances using the Java Swing framework, the graphical user interface (GUI) toolkit that powers Cobalt Strike.

According to Darwin, certain Java Swing components will automatically read any text that begins with “html” as HTML content. The only thing that was necessary to stop this behavior was to disable automatic HTML tag parsing across the client.

The security expert further noted that since Cobalt Strike is not the only tool affected by the issue, no new CVE has been published by the company to address it.

Not just Cobalt Strike, but any Java Swing GUI that produces HTML can take advantage of the underlying vulnerability in Java Swing.