The Up.time client for Windows is vulnerable to an format string attack as well as a buffer overflow, and may allow unauthenticated users to perform certain commands.
CWE-134: Uncontrolled Format String - CVE-2015-2894
For version 6.0 and 7.2, an unauthenticated attacker on the network may send either the "%n" or "%s" format parameters will cause the application to crash. This vulnerability was addressed in version 7.6.
A remote unauthenticated user may be able to perform a denial of service on Up.time, or obtain system information for future use. It may also be possible to execute code.
Apply an update
Thanks to Matthew Benton and Richard Kelley for reporting this issue to us.
This document was written by Garret Wassermann.