search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Attachmate Verastream Host Integrator (VHI) allows arbitrary file upload and execution

Vulnerability Note VU#436214

Original Release Date: 2013-11-04 | Last Revised: 2013-11-19


The Attachmate Verastream Host Integrator (VHI) is vulnerable to arbitrary file uploads and execution.


CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') - CVE-2013-3626

The Attachmate VHI Session Server, on all platforms, allows unauthenticated remote attackers to write arbitrary files on the machine in which the product is installed by sending a specially crafted message to the VHI Session Server. The affected versions are:

    • 7.5 SP 1 HF 1
    • 7.5 SP 1
    • 7.5
    • 7.1 SP 2 HF 1 - 6
    • 7.1 SP 2
    • 7.1 SP 1
    • 7.1
    • 7.0
    • 6.6
    • 6.5
    • 6.0


An attacker may be able to gain complete control of the server on which the application is installed.


Apply a HotfixAttachmate has released a hotfix to address this issue while a patch is being developed. The hotfix can be found at:

Vendor Information


Attachmate Affected

Notified:  October 02, 2013 Updated: October 10, 2013



Vendor Statement

A hotfix is available at:

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

CVSS Metrics

Group Score Vector
Base 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C
Temporal 7.5 E:POC/RL:TF/RC:C
Environmental 1.9 CDP:N/TD:L/CR:ND/IR:ND/AR:ND



Thanks to Arnold Geels of Attachmate for reporting this vulnerability.

This document was written by Chris King.

Other Information

CVE IDs: CVE-2013-3626
Date Public: 2013-11-04
Date First Published: 2013-11-04
Date Last Updated: 2013-11-19 22:40 UTC
Document Revision: 13

Sponsored by CISA.