### Key Information #### Vulnerability Identifier - **CVE Identifier**: CVE-2021-44207 #### Vulnerability Description - **Description**: The Acclaim USAHERDS web application 7.4.0.1 and earlier, builds prior to November 2021, used static ValidationKey and DecryptionKey values. #### CWE - **CWE enumeration**: CWE-798 - Use of Hard-coded Credentials #### Impact - **Impact**: High - Knowledge of the ValidationKey and DecryptionKey can be used to achieve Remote Code Execution on the system that runs the application. #### Exploitability - **Exploitability**: Low - The ValidationKey and DecryptionKey would need to be obtained via a separate vulnerability or other channel. #### Technical Details - **Technical Details**: These keys are used to provide security for the application ViewState. A threat actor can trick the application server into deserializing maliciously crafted ViewState data. #### Discovery Credits - **Discovery Credits**: Douglas Bienstock, Mandiant #### Disclosure Timeline - **Disclosure Timeline**: 2021-11-23 - Issue reported to developer. Developer confirmed a patch had recently been released for the same issue. #### References - **References**: - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44207 - https://www.acclaimsytems.com/ - https://www.tnatc.org/