{"document":{"acknowledgments":[{"urls":["https://kb.cert.org/vuls/id/748485#acknowledgements"]}],"category":"CERT/CC Vulnerability Note","csaf_version":"2.0","notes":[{"category":"summary","text":"### Overview  \r\nA security flaw exists in the configuration management endpoint of the DRC INSIGHT software, allowing an unauthenticated user with access to the same network as the server to modify the server’s configuration file. This could enable data exfiltration, traffic redirection, or service disruption. \r\n\r\n### Description  \r\nData Recognition Corporation (DRC) provides software for test proctoring, including the web-based DRC INSIGHT platform. A component of this platform, Central Office Services (COS), is typically deployed on a school or district local area network to host and distribute testing content to student devices. \r\n\r\nCOS uses a unified API router that serves both public content functions, such as exam delivery, and administrative functions, without meaningful separation between content-serving APIs and management APIs. \r\n\r\nThe `/v0/configuration` administrative endpoint is accessible to systems on the same network as the COS server without authentication or origin validation. Any unauthenticated user or compromised device with network access to the server may submit requests that modify the server’s configuration file. The endpoint accepts and persists user-supplied JSON payloads without validating content, checking authorization, or verifying the safety of requested configuration changes. This vulnerability is tracked as CVE-2026-5756. \r\n\r\n### Impact  \r\nExploitation could allow an attacker to exfiltrate student data by overwriting storage configuration values or credentials so that test artifacts, responses, or audio recordings are sent to attacker-controlled external services instead of intended DRC-managed destinations. An attacker could also intercept or manipulate outbound traffic by inserting a malicious `httpsProxy` setting, causing HTTPS communications with DRC validation or content services to pass through an attacker-controlled proxy. In addition, malformed JSON, invalid port bindings, or incorrect service endpoints could disrupt operations by preventing the server from starting or interfering with active assessments. \r\n\r\n### Mitigations  \r\nCoordination with the vendor was unsuccessful, and no patch is currently available. Organizations that are unable to update or modify the application should restrict network access to the COS server by placing it on a dedicated, isolated network segment accessible only to trusted administrative systems. Student and guest networks should not be permitted to reach the server. \r\n\r\nHost-based or network firewalls should be used to restrict access to the `/v0/configuration` endpoint, ideally limiting access to localhost or specifically authorized administrative IP addresses. Outbound network traffic should be restricted to approved destinations, such as DRC infrastructure, and monitored for unexpected connections to unknown storage services or proxy endpoints. \r\n\r\nAdministrators should enable logging and monitoring capable of detecting requests to the `/v0/configuration` endpoint, unauthorized configuration changes, and unusual outbound traffic patterns. Services should run with least privilege, with write access to configuration files limited wherever possible. Signed backups of configuration files should be maintained and their integrity verified before restoration or redeployment. \r\n\r\n### Acknowledgments  \r\nThanks to Caen Jones for responsibly disclosing this vulnerability.  \r\nDocument prepared by Timur Snoke with the assistance of AI.","title":"Summary"},{"category":"legal_disclaimer","text":"THIS DOCUMENT IS PROVIDED ON AN 'AS IS' BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. ","title":"Legal Disclaimer"},{"category":"other","text":"CERT/CC Vulnerability Note is a limited advisory. It primarily identifies vendors impacted by the advisory and not specific products. We only support \"known_affected\" and \"known_not_affected\" status. Please consult the vendor's statements and advisory URL if provided by the vendor for more details ","title":"Limitations of Advisory"}],"publisher":{"category":"coordinator","contact_details":"Email: cert@cert.org, Phone: +1412 268 5800","issuing_authority":"CERT/CC under DHS/CISA https://www.cisa.gov/cybersecurity also see https://kb.cert.org/ ","name":"CERT/CC","namespace":"https://kb.cert.org/"},"references":[{"url":"https://certcc.github.io/certcc_disclosure_policy","summary":"CERT/CC vulnerability disclosure policy"},{"summary":"CERT/CC document released","category":"self","url":"https://kb.cert.org/vuls/id/748485"},{"url":"https://www.datarecognitioncorp.com/education-services/insight/","summary":"https://www.datarecognitioncorp.com/education-services/insight/"}],"title":"Unauthenticated configuration modification vulnerability in Central Office Services - Content Hosting Component","tracking":{"current_release_date":"2026-04-23T12:28:15+00:00","generator":{"engine":{"name":"VINCE","version":"3.0.36"}},"id":"VU#748485","initial_release_date":"2026-04-23 12:28:15.099682+00:00","revision_history":[{"date":"2026-04-23T12:28:15+00:00","number":"1.20260423122815.1","summary":"Released on 2026-04-23T12:28:15+00:00"}],"status":"final","version":"1.20260423122815.1"}},"vulnerabilities":[{"title":"Unauthenticated Configuration File Modification Vulnerability in DRC Central Office Services (COS) allows an attacker to modify the server's configuration file, potentially leading to mass data exfiltration, malicious traffic interception, or disruption of testing services.","notes":[{"category":"summary","text":"Unauthenticated Configuration File Modification Vulnerability in DRC Central Office Services (COS) allows an attacker to modify the server's configuration file, potentially leading to mass data exfiltration, malicious traffic interception, or disruption of testing services."}],"cve":"CVE-2026-5756","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#748485"}]}],"product_tree":{"branches":[]}}